Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe

Overview

General Information

Sample name:1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
Analysis ID:1483070
MD5:7bccbac8a232ff442b0840adcc1eb718
SHA1:e2800e1cfb0beaddadcf275d0f07c8aab27259c5
SHA256:2c4b0e1df5a390f1dd275ba8bcf16ed61c411c5d8a076094f7614384ca28d865
Tags:base64-decodedexeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Uses dynamic DNS services
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "2024remcmon.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R2I0JW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x134a8:$a1: Remcos restarted by watchdog!
          • 0x13a20:$a3: %02i:%02i:%02i:%03i
          00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aaa8:$a1: Remcos restarted by watchdog!
                  • 0x6b020:$a3: %02i:%02i:%02i:%03i
                  0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b6c:$str_b2: Executing file:
                  • 0x65bec:$str_b3: GetDirectListeningPort
                  • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65718:$str_b7: \update.vbs
                  • 0x64b94:$str_b9: Downloaded file:
                  • 0x64b80:$str_b10: Downloading file:
                  • 0x64c24:$str_b12: Failed to upload file:
                  • 0x65bb4:$str_b13: StartForward
                  • 0x65bd4:$str_b14: StopForward
                  • 0x65670:$str_b15: fso.DeleteFile "
                  • 0x65604:$str_b16: On Error Resume Next
                  • 0x656a0:$str_b17: fso.DeleteFolder "
                  • 0x64c14:$str_b18: Uploaded file:
                  • 0x64bd4:$str_b19: Unable to delete:
                  • 0x65638:$str_b20: while fso.FileExists("
                  • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                  0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x6497c:$s1: CoGetObject
                  • 0x64990:$s1: CoGetObject
                  • 0x649ac:$s1: CoGetObject
                  • 0x6e938:$s1: CoGetObject
                  • 0x6493c:$s2: Elevation:Administrator!new:
                  Click to see the 5 entries

                  Sigma Signatures

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 77 A9 80 9E 90 2C BA 6C 4B BA AE B2 98 A0 0A C7 52 D0 DE 92 38 78 C7 20 6E CF EF 8F A0 4B ED A4 79 3B 4E 07 91 89 A4 52 ED F6 47 B9 B1 EE 41 49 CA 72 C2 8C DD E0 6A B5 70 C9 75 F9 F9 26 4E 6C 67 F5 A2 78 D9 40 1C 82 2D 39 00 19 F7 FC 7A 85 11 FD 3E 55 F5 96 CA B0 4D 02 4D EB 5F 1C 3F 07 1E 75 3D AC AC 04 F5 29 79 07 A9 4F 01 D5 59 7D 07 BA 49 5E 53 07 04 A0 8A 2F EB 9A 82 69 EC 14 B0 92 74 42 81 37 71 57 EA 52 5B 61 82 7E 90 44 C8 64 C6 90 60 A2 E1 61 C1 9E A4 00 82 A1 E6 0B EF 0B 2B 0A 35 62 EA F4 F1 A6 1B 62 1A CE FB 8C 4D 21 F4 5A EF 6F B7 3A 6E D0 1C 2A F9 7C 0F 8B 7C C5 68 9D 0C 6D BA 61 BF E3 7C 73 DE CF B5 3B A6 84 39 24 C5 22 57 EB 22 E9 F9 CE 10 4D 54 6E 82 2C 33 00 80 FA A2 B3 31 DE 9D E2 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, ProcessId: 6976, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-R2I0JW\exepath

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-26T15:41:55.253385+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49713
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T15:40:57.008456+0200
                  SID:2803304
                  Source Port:49705
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-26T15:40:55.425506+0200
                  SID:2036594
                  Source Port:49704
                  Destination Port:14645
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T15:41:15.983405+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49706
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "2024remcmon.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R2I0JW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for submitted file
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeReversingLabs: Detection: 89%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9fded3bc-b

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 2024remcmon.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: 2024remcmon.duckdns.org
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 192.210.214.9 192.210.214.9
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: 2024remcmon.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/2
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000680000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000680000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpK
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpU
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004541590_2_00454159
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004381680_2_00438168
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004461F00_2_004461F0
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0045332B0_2_0045332B
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0042739D0_2_0042739D
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004374E60_2_004374E6
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0043E5580_2_0043E558
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004387700_2_00438770
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004378FE0_2_004378FE
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004339460_2_00433946
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0044D9C90_2_0044D9C9
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00427A460_2_00427A46
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041DB620_2_0041DB62
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00427BAF0_2_00427BAF
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00437D330_2_00437D33
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00435E5E0_2_00435E5E
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00426E0E0_2_00426E0E
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00413FCA0_2_00413FCA
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00436FEA0_2_00436FEA
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: String function: 00434E10 appears 54 times
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: String function: 00434770 appears 42 times
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@2/2
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R2I0JW
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Software\0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Rmc-R2I0JW0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Exe0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Exe0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Rmc-R2I0JW0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Inj0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Inj0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8)b0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8)b0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8)b0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8SG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8)b0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: exepath0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8SG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: exepath0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: 8)b0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: licence0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: dMG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: PSG0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: Administrator0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: User0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: del0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: del0_2_0040E9C5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCommand line argument: del0_2_0040E9C5
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeWindow / User API: threadDelayed 1450Jump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeWindow / User API: threadDelayed 8542Jump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360Thread sleep count: 1450 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360Thread sleep time: -4350000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360Thread sleep count: 8542 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360Thread sleep time: -25626000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000698000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446573079.0000000000698000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48661
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_004120F7
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446573079.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446573079.0000000000692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00452036
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452313
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448404
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452543
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004488ED
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451F50
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449190
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: \key3.db0_2_0040BB30

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R2I0JWJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		Logon Script (Windows)1
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Windows Service                  		1
                  Bypass User Account Control                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets23
                  System Information Discovery                  		SSHKeylogging22
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials21
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Process Injection                  		Proc Filesystem2
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe89%ReversingLabsWin32.Backdoor.Remcos
                  1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                  1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  http://geoplugin.net/20%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpU0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
                  http://geoplugin.net/0%Avira URL Cloudsafe
                  2024remcmon.duckdns.org0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gpK0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown
                    2024remcmon.duckdns.org
                    		192.210.214.9
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpfalse
                      • URL Reputation: safe
                      		unknown
                      2024remcmon.duckdns.orgtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/21722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000689000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gpU1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gp/C1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exefalse
                      • URL Reputation: safe
                      		unknown
                      http://geoplugin.net/json.gpl1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gpK1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://geoplugin.net/json.gpSystem321722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      192.210.214.9
                      		2024remcmon.duckdns.orgUnited States
                      		36352AS-COLOCROSSINGUStrue
                      178.237.33.50
                      		geoplugin.netNetherlands
                      		8455ATOM86-ASATOM86NLfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1483070
                      Start date and time:2024-07-26 15:40:09 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 20s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 31
                      • Number of non-executed functions: 222
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      09:41:29API Interceptor6271120x Sleep call for process: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      192.210.214.9girlfrnd.docGet hashmaliciousRemcosBrowse
                        Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                          INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                            INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                              IlWPStOFHj.rtfGet hashmaliciousRemcosBrowse
                                1715327885f20f31f2f517c98cb2c7e927c5676435d894ec2de190282251b350f38ab136db927.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                  178.237.33.50girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  erthings.docGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  girlfrnd.docGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  UD61dgs2rz.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  2024remcmon.duckdns.orggirlfrnd.docGet hashmaliciousRemcosBrowse
                                  • 192.210.214.9
                                  Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 192.210.214.9
                                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 192.210.214.9
                                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 192.210.214.9
                                  1715327885f20f31f2f517c98cb2c7e927c5676435d894ec2de190282251b350f38ab136db927.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                  • 192.210.214.9
                                  izjbNXbbDX.rtfGet hashmaliciousRemcosBrowse
                                  • 107.172.31.178
                                  1710228246da2ebbe442542c426e28c0df992bca85d59c521a027975c70d161027e53b6d2f971.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  • 107.172.31.178
                                  RFQ No. PO414501.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 107.172.31.178
                                  geoplugin.netgirlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                  • 178.237.33.50
                                  erthings.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  girlfrnd.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  UD61dgs2rz.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                  • 178.237.33.50
                                  Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS-COLOCROSSINGUSIFqsFpijFt.rtfGet hashmaliciousRemcosBrowse
                                  • 198.46.176.133
                                  girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                  • 104.168.45.34
                                  erthings.docGet hashmaliciousRemcosBrowse
                                  • 192.3.101.142
                                  girlfrnd.docGet hashmaliciousRemcosBrowse
                                  • 198.46.176.133
                                  PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                                  • 192.227.225.166
                                  PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                                  • 192.227.225.166
                                  DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                  • 192.3.101.142
                                  PRZELEW BANKOWY.xlsGet hashmaliciousUnknownBrowse
                                  • 192.227.225.166
                                  Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 198.46.176.133
                                  AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                  • 198.46.176.133
                                  ATOM86-ASATOM86NLgirlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                  • 178.237.33.50
                                  erthings.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  girlfrnd.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  UD61dgs2rz.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                  • 178.237.33.50
                                  Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  C1ZsNxSer8.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                  Download File
                                  Process:C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):962
                                  Entropy (8bit):5.013130376969173
                                  Encrypted:false
                                  SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                  MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                  SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                  SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                  SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.599437438668424
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
                                  File size:494'592 bytes
                                  MD5:7bccbac8a232ff442b0840adcc1eb718
                                  SHA1:e2800e1cfb0beaddadcf275d0f07c8aab27259c5
                                  SHA256:2c4b0e1df5a390f1dd275ba8bcf16ed61c411c5d8a076094f7614384ca28d865
                                  SHA512:62fae04fe37a7e7834df89f6b8f5d0353e0bfb31ff03559618b73a0bc609dc161a9740b92fab24d672d8d60f2efd08d37a417397c1a9187375b5fe3edefac81c
                                  SSDEEP:6144:HXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZ5AXIcNH5Gv:HX7tPMK8ctGe4Dzl4h2QnuPs/Z5icv
                                  TLSH:E3B49E01BAD1C072D57514300D36F776EAB8BD2028364A7BB3D61D5BFE31190B62AAB7
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

                                  File Icon

                                  Icon Hash:95694d05214c1b33

                                  Static PE Info

                                  General

                                  Entrypoint:0x4349ef
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66728C58 [Wed Jun 19 07:44:24 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:8d5087ff5de35c3fbb9f212b47d63cad

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F09208C0EDCh
                                  jmp 00007F09208C08F3h
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 00000324h
                                  push ebx
                                  push esi
                                  push 00000017h
                                  call 00007F09208E3154h
                                  test eax, eax
                                  je 00007F09208C0A67h
                                  mov ecx, dword ptr [ebp+08h]
                                  int 29h
                                  xor esi, esi
                                  lea eax, dword ptr [ebp-00000324h]
                                  push 000002CCh
                                  push esi
                                  push eax
                                  mov dword ptr [00471D14h], esi
                                  call 00007F09208C2EC7h
                                  add esp, 0Ch
                                  mov dword ptr [ebp-00000274h], eax
                                  mov dword ptr [ebp-00000278h], ecx
                                  mov dword ptr [ebp-0000027Ch], edx
                                  mov dword ptr [ebp-00000280h], ebx
                                  mov dword ptr [ebp-00000284h], esi
                                  mov dword ptr [ebp-00000288h], edi
                                  mov word ptr [ebp-0000025Ch], ss
                                  mov word ptr [ebp-00000268h], cs
                                  mov word ptr [ebp-0000028Ch], ds
                                  mov word ptr [ebp-00000290h], es
                                  mov word ptr [ebp-00000294h], fs
                                  mov word ptr [ebp-00000298h], gs
                                  pushfd
                                  pop dword ptr [ebp-00000264h]
                                  mov eax, dword ptr [ebp+04h]
                                  mov dword ptr [ebp-0000026Ch], eax
                                  lea eax, dword ptr [ebp+04h]
                                  mov dword ptr [ebp-00000260h], eax
                                  mov dword ptr [ebp-00000324h], 00010001h
                                  mov eax, dword ptr [eax-04h]
                                  push 00000050h
                                  mov dword ptr [ebp-00000270h], eax
                                  lea eax, dword ptr [ebp-58h]
                                  push esi
                                  push eax
                                  call 00007F09208C2E3Eh

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6eea80x104.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4a88.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bcc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3400x38.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x6d3d40x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3780x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x590000x4fc.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x571750x57200f959ed65f49a903603bc150bbb7292aaFalse0.571329694225251data6.62552167894442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x590000x179b60x17a00cb0626634f7bf1c5779954b9e8e456d0False0.5005787037037037Zebra Metafile graphic (comment = \210\002\007)5.859466241544869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x710000x5d440xe00fa1a169b9414830def88848af87110b5False0.22154017857142858data3.00580031855032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .gfids0x780000x2300x40009e4699aa75951ab53e804fe4f9a3b6bFalse0.3271484375data2.349075166240886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x790000x4a880x4c00ed06ebf654872982a03c88f1684c9d24False0.27323190789473684data3.975681577976785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x7e0000x3bcc0x3c000a6e61b09628beca43d4bf9604f65238False0.7639973958333334data6.718533933603825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                  RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                  RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                  RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                  RT_RCDATA0x7d5cc0x47cdata1.009581881533101
                                  RT_GROUP_ICON0x7da480x3edataEnglishUnited States0.8064516129032258

                                  Imports

                                  DLLImport
                                  KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                  USER32.dllGetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
                                  GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                  ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                  SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                  ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                  SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                  WINMM.dllwaveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
                                  WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                  urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                  gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                  WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                  2024-07-26T15:41:55.253385+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971340.68.123.157192.168.2.5
                                  2024-07-26T15:40:57.008456+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4970580192.168.2.5178.237.33.50
                                  2024-07-26T15:40:55.425506+0200TCP2036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection4970414645192.168.2.5192.210.214.9
                                  2024-07-26T15:41:15.983405+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970640.68.123.157192.168.2.5

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 26, 2024 15:40:54.787693024 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:54.794778109 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:54.794874907 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:54.798659086 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:54.803591967 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:55.370395899 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:55.425506115 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:55.497962952 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:55.501122952 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:55.506814003 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:55.506911039 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:55.512573957 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:56.131972075 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:56.136645079 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:56.141706944 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:56.234467983 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:56.284993887 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:56.353420019 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:40:56.364335060 CEST8049705178.237.33.50192.168.2.5
                                  Jul 26, 2024 15:40:56.364428997 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:40:56.366785049 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:40:56.372107983 CEST8049705178.237.33.50192.168.2.5
                                  Jul 26, 2024 15:40:57.008250952 CEST8049705178.237.33.50192.168.2.5
                                  Jul 26, 2024 15:40:57.008455992 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:40:57.041356087 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:40:57.049629927 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:40:58.016347885 CEST8049705178.237.33.50192.168.2.5
                                  Jul 26, 2024 15:40:58.016653061 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:41:09.735682011 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:41:09.737184048 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:41:09.743387938 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:41:39.983571053 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:41:39.986196041 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:41:39.991352081 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:42:10.891216993 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:42:10.895353079 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:42:10.938266039 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:42:40.987284899 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:42:40.989547968 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:42:40.994699001 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:42:46.306878090 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:42:46.613214016 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:42:47.222512960 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:42:48.425617933 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:42:50.831880093 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:42:55.644469023 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:43:05.253757954 CEST4970580192.168.2.5178.237.33.50
                                  Jul 26, 2024 15:43:11.056077957 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:43:11.058551073 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:43:11.063613892 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:43:41.089871883 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:43:41.091622114 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:43:41.096466064 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:44:11.115870953 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:44:11.117132902 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:44:11.123085976 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:44:41.160027027 CEST1464549704192.210.214.9192.168.2.5
                                  Jul 26, 2024 15:44:41.172789097 CEST4970414645192.168.2.5192.210.214.9
                                  Jul 26, 2024 15:44:41.177664042 CEST1464549704192.210.214.9192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 26, 2024 15:40:54.667857885 CEST5964453192.168.2.51.1.1.1
                                  Jul 26, 2024 15:40:54.785157919 CEST53596441.1.1.1192.168.2.5
                                  Jul 26, 2024 15:40:56.308634043 CEST6402853192.168.2.51.1.1.1
                                  Jul 26, 2024 15:40:56.324681997 CEST53640281.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 26, 2024 15:40:54.667857885 CEST192.168.2.51.1.1.10xbad8Standard query (0)2024remcmon.duckdns.orgA (IP address)IN (0x0001)false
                                  Jul 26, 2024 15:40:56.308634043 CEST192.168.2.51.1.1.10xd678Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 26, 2024 15:40:54.785157919 CEST1.1.1.1192.168.2.50xbad8No error (0)2024remcmon.duckdns.org192.210.214.9A (IP address)IN (0x0001)false
                                  Jul 26, 2024 15:40:56.324681997 CEST1.1.1.1192.168.2.50xd678No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • geoplugin.net

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549705178.237.33.50806976C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 26, 2024 15:40:56.366785049 CEST71OUTGET /json.gp HTTP/1.1
                                  Host: geoplugin.net
                                  Cache-Control: no-cache
                                  Jul 26, 2024 15:40:57.008250952 CEST1170INHTTP/1.1 200 OK
                                  date: Fri, 26 Jul 2024 13:40:56 GMT
                                  server: Apache
                                  content-length: 962
                                  content-type: application/json; charset=utf-8
                                  cache-control: public, max-age=300
                                  access-control-allow-origin: *
                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:09:40:53
                                  Start date:26/07/2024
                                  Path:C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe"
                                  Imagebase:0x400000
                                  File size:494'592 bytes
                                  MD5 hash:7BCCBAC8A232FF442B0840ADCC1EB718
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.9%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:22.9%
                                    Total number of Nodes:1269
                                    Total number of Limit Nodes:54
                                    execution_graph 47165 434887 47166 434893 ___DestructExceptionObject 47165->47166 47192 434596 47166->47192 47168 43489a 47170 4348c3 47168->47170 47490 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47168->47490 47179 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47170->47179 47491 444251 5 API calls CatchGuardHandler 47170->47491 47172 4348dc 47174 4348e2 ___DestructExceptionObject 47172->47174 47492 4441f5 5 API calls CatchGuardHandler 47172->47492 47175 434962 47203 434b14 47175->47203 47179->47175 47493 4433e7 36 API calls 6 library calls 47179->47493 47185 434984 47186 43498e 47185->47186 47495 44341f 28 API calls _abort 47185->47495 47188 434997 47186->47188 47496 4433c2 28 API calls _abort 47186->47496 47497 43470d 13 API calls 2 library calls 47188->47497 47191 43499f 47191->47174 47193 43459f 47192->47193 47498 434c52 IsProcessorFeaturePresent 47193->47498 47195 4345ab 47499 438f31 10 API calls 4 library calls 47195->47499 47197 4345b0 47202 4345b4 47197->47202 47500 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47197->47500 47199 4345bd 47200 4345cb 47199->47200 47501 438f5a 8 API calls 3 library calls 47199->47501 47200->47168 47202->47168 47502 436e90 47203->47502 47206 434968 47207 4441a2 47206->47207 47504 44f059 47207->47504 47209 4441ab 47210 434971 47209->47210 47508 446815 36 API calls 47209->47508 47212 40e9c5 47210->47212 47510 41cb50 LoadLibraryA GetProcAddress 47212->47510 47214 40e9e1 GetModuleFileNameW 47515 40f3c3 47214->47515 47216 40e9fd 47530 4020f6 47216->47530 47219 4020f6 28 API calls 47220 40ea1b 47219->47220 47536 41be1b 47220->47536 47224 40ea2d 47562 401e8d 47224->47562 47226 40ea36 47227 40ea93 47226->47227 47228 40ea49 47226->47228 47568 401e65 47227->47568 47836 40fbb3 118 API calls 47228->47836 47231 40ea5b 47233 401e65 22 API calls 47231->47233 47232 40eaa3 47235 401e65 22 API calls 47232->47235 47234 40ea67 47233->47234 47837 410f37 36 API calls __EH_prolog 47234->47837 47236 40eac2 47235->47236 47573 40531e 47236->47573 47239 40ead1 47578 406383 47239->47578 47240 40ea79 47838 40fb64 78 API calls 47240->47838 47244 40ea82 47839 40f3b0 71 API calls 47244->47839 47250 401fd8 11 API calls 47252 40eefb 47250->47252 47251 401fd8 11 API calls 47253 40eafb 47251->47253 47494 4432f6 GetModuleHandleW 47252->47494 47254 401e65 22 API calls 47253->47254 47255 40eb04 47254->47255 47595 401fc0 47255->47595 47257 40eb0f 47258 401e65 22 API calls 47257->47258 47259 40eb28 47258->47259 47260 401e65 22 API calls 47259->47260 47261 40eb43 47260->47261 47262 40ebae 47261->47262 47840 406c1e 47261->47840 47263 401e65 22 API calls 47262->47263 47270 40ebbb 47263->47270 47265 40eb70 47266 401fe2 28 API calls 47265->47266 47267 40eb7c 47266->47267 47268 401fd8 11 API calls 47267->47268 47271 40eb85 47268->47271 47269 40ec02 47599 40d069 47269->47599 47270->47269 47275 413549 3 API calls 47270->47275 47845 413549 RegOpenKeyExA 47271->47845 47273 40ec08 47274 40ea8b 47273->47274 47602 41b2c3 47273->47602 47274->47250 47281 40ebe6 47275->47281 47279 40f34f 47923 4139a9 30 API calls 47279->47923 47280 40ec23 47282 40ec76 47280->47282 47619 407716 47280->47619 47281->47269 47848 4139a9 30 API calls 47281->47848 47284 401e65 22 API calls 47282->47284 47287 40ec7f 47284->47287 47296 40ec90 47287->47296 47297 40ec8b 47287->47297 47289 40f365 47924 412475 65 API calls ___scrt_fastfail 47289->47924 47290 40ec42 47849 407738 30 API calls 47290->47849 47291 40ec4c 47294 401e65 22 API calls 47291->47294 47305 40ec55 47294->47305 47295 40f36f 47299 41bc5e 28 API calls 47295->47299 47302 401e65 22 API calls 47296->47302 47852 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47297->47852 47298 40ec47 47850 407260 98 API calls 47298->47850 47303 40f37f 47299->47303 47304 40ec99 47302->47304 47728 413a23 RegOpenKeyExW 47303->47728 47623 41bc5e 47304->47623 47305->47282 47310 40ec71 47305->47310 47308 40eca4 47627 401f13 47308->47627 47851 407260 98 API calls 47310->47851 47314 401f09 11 API calls 47316 40f39c 47314->47316 47318 401f09 11 API calls 47316->47318 47320 40f3a5 47318->47320 47319 401e65 22 API calls 47321 40ecc1 47319->47321 47731 40dd42 47320->47731 47325 401e65 22 API calls 47321->47325 47327 40ecdb 47325->47327 47326 40f3af 47328 401e65 22 API calls 47327->47328 47329 40ecf5 47328->47329 47330 401e65 22 API calls 47329->47330 47331 40ed0e 47330->47331 47332 401e65 22 API calls 47331->47332 47363 40ed7b 47331->47363 47337 40ed23 _wcslen 47332->47337 47333 40ed8a 47334 40ed93 47333->47334 47362 40ee0f ___scrt_fastfail 47333->47362 47335 401e65 22 API calls 47334->47335 47336 40ed9c 47335->47336 47338 401e65 22 API calls 47336->47338 47341 401e65 22 API calls 47337->47341 47337->47363 47340 40edae 47338->47340 47339 40ef06 ___scrt_fastfail 47913 4136f8 RegOpenKeyExA 47339->47913 47344 401e65 22 API calls 47340->47344 47342 40ed3e 47341->47342 47345 401e65 22 API calls 47342->47345 47346 40edc0 47344->47346 47347 40ed53 47345->47347 47349 401e65 22 API calls 47346->47349 47853 40da34 47347->47853 47348 40ef51 47350 401e65 22 API calls 47348->47350 47355 40ede9 47349->47355 47353 40ef76 47350->47353 47649 402093 47353->47649 47354 401f13 28 API calls 47357 40ed72 47354->47357 47358 401e65 22 API calls 47355->47358 47360 401f09 11 API calls 47357->47360 47361 40edfa 47358->47361 47359 40ef88 47655 41376f RegCreateKeyA 47359->47655 47360->47363 47911 40cdf9 46 API calls _wcslen 47361->47911 47639 413947 47362->47639 47363->47333 47363->47339 47367 40ee0a 47367->47362 47369 40eea3 ctype 47372 401e65 22 API calls 47369->47372 47370 401e65 22 API calls 47371 40efaa 47370->47371 47661 43baac 47371->47661 47373 40eeba 47372->47373 47373->47348 47376 40eece 47373->47376 47379 401e65 22 API calls 47376->47379 47377 40efc1 47916 41cd9b 88 API calls ___scrt_fastfail 47377->47916 47378 40efe4 47383 402093 28 API calls 47378->47383 47380 40eed7 47379->47380 47384 41bc5e 28 API calls 47380->47384 47382 40efc8 CreateThread 47382->47378 48663 41d45d 10 API calls 47382->48663 47385 40eff9 47383->47385 47386 40eee3 47384->47386 47387 402093 28 API calls 47385->47387 47912 40f474 107 API calls 47386->47912 47389 40f008 47387->47389 47665 41b4ef 47389->47665 47390 40eee8 47390->47348 47392 40eeef 47390->47392 47392->47274 47394 401e65 22 API calls 47395 40f019 47394->47395 47396 401e65 22 API calls 47395->47396 47397 40f02b 47396->47397 47398 401e65 22 API calls 47397->47398 47399 40f04b 47398->47399 47400 43baac _strftime 40 API calls 47399->47400 47401 40f058 47400->47401 47402 401e65 22 API calls 47401->47402 47403 40f063 47402->47403 47404 401e65 22 API calls 47403->47404 47405 40f074 47404->47405 47406 401e65 22 API calls 47405->47406 47407 40f089 47406->47407 47408 401e65 22 API calls 47407->47408 47409 40f09a 47408->47409 47410 40f0a1 StrToIntA 47409->47410 47689 409de4 47410->47689 47413 401e65 22 API calls 47414 40f0bc 47413->47414 47415 40f101 47414->47415 47416 40f0c8 47414->47416 47419 401e65 22 API calls 47415->47419 47917 4344ea 22 API calls 3 library calls 47416->47917 47418 40f0d1 47420 401e65 22 API calls 47418->47420 47421 40f111 47419->47421 47422 40f0e4 47420->47422 47424 40f159 47421->47424 47425 40f11d 47421->47425 47423 40f0eb CreateThread 47422->47423 47423->47415 48667 419fb4 110 API calls 2 library calls 47423->48667 47426 401e65 22 API calls 47424->47426 47918 4344ea 22 API calls 3 library calls 47425->47918 47428 40f162 47426->47428 47432 40f1cc 47428->47432 47433 40f16e 47428->47433 47429 40f126 47430 401e65 22 API calls 47429->47430 47431 40f138 47430->47431 47434 40f13f CreateThread 47431->47434 47435 401e65 22 API calls 47432->47435 47436 401e65 22 API calls 47433->47436 47434->47424 48666 419fb4 110 API calls 2 library calls 47434->48666 47437 40f1d5 47435->47437 47438 40f17e 47436->47438 47439 40f1e1 47437->47439 47440 40f21a 47437->47440 47441 401e65 22 API calls 47438->47441 47443 401e65 22 API calls 47439->47443 47714 41b60d GetComputerNameExW GetUserNameW 47440->47714 47444 40f193 47441->47444 47446 40f1ea 47443->47446 47919 40d9e8 32 API calls 47444->47919 47450 401e65 22 API calls 47446->47450 47447 401f13 28 API calls 47449 40f22e 47447->47449 47452 401f09 11 API calls 47449->47452 47453 40f1ff 47450->47453 47451 40f1a6 47454 401f13 28 API calls 47451->47454 47455 40f237 47452->47455 47464 43baac _strftime 40 API calls 47453->47464 47456 40f1b2 47454->47456 47457 40f240 SetProcessDEPPolicy 47455->47457 47458 40f243 CreateThread 47455->47458 47461 401f09 11 API calls 47456->47461 47457->47458 47459 40f264 47458->47459 47460 40f258 CreateThread 47458->47460 48635 40f7a7 47458->48635 47462 40f279 47459->47462 47463 40f26d CreateThread 47459->47463 47460->47459 48662 4120f7 139 API calls 47460->48662 47465 40f1bb CreateThread 47461->47465 47467 40f2cc 47462->47467 47469 402093 28 API calls 47462->47469 47463->47462 48664 4126db 38 API calls ___scrt_fastfail 47463->48664 47466 40f20c 47464->47466 47465->47432 48665 401be9 50 API calls _strftime 47465->48665 47920 40c162 7 API calls 47466->47920 47725 4134ff RegOpenKeyExA 47467->47725 47470 40f29c 47469->47470 47921 4052fd 28 API calls 47470->47921 47475 40f2ed 47477 41bc5e 28 API calls 47475->47477 47479 40f2fd 47477->47479 47922 41361b 31 API calls 47479->47922 47484 40f313 47485 401f09 11 API calls 47484->47485 47488 40f31e 47485->47488 47486 40f346 DeleteFileW 47487 40f34d 47486->47487 47486->47488 47487->47295 47488->47295 47488->47486 47489 40f334 Sleep 47488->47489 47489->47488 47490->47168 47491->47172 47492->47179 47493->47175 47494->47185 47495->47186 47496->47188 47497->47191 47498->47195 47499->47197 47500->47199 47501->47202 47503 434b27 GetStartupInfoW 47502->47503 47503->47206 47505 44f06b 47504->47505 47506 44f062 47504->47506 47505->47209 47509 44ef58 49 API calls 5 library calls 47506->47509 47508->47209 47509->47505 47511 41cb8f LoadLibraryA GetProcAddress 47510->47511 47512 41cb7f GetModuleHandleA GetProcAddress 47510->47512 47513 41cbb8 44 API calls 47511->47513 47514 41cba8 LoadLibraryA GetProcAddress 47511->47514 47512->47511 47513->47214 47514->47513 47925 41b4a8 FindResourceA 47515->47925 47519 40f3ed _Yarn 47935 4020b7 47519->47935 47522 401fe2 28 API calls 47523 40f413 47522->47523 47524 401fd8 11 API calls 47523->47524 47525 40f41c 47524->47525 47526 43bd51 _Yarn 21 API calls 47525->47526 47527 40f42d _Yarn 47526->47527 47941 406dd8 47527->47941 47529 40f460 47529->47216 47531 40210c 47530->47531 47532 4023ce 11 API calls 47531->47532 47533 402126 47532->47533 47534 402569 28 API calls 47533->47534 47535 402134 47534->47535 47535->47219 47978 4020df 47536->47978 47538 401fd8 11 API calls 47539 41bed0 47538->47539 47540 401fd8 11 API calls 47539->47540 47542 41bed8 47540->47542 47541 41bea0 47543 4041a2 28 API calls 47541->47543 47545 401fd8 11 API calls 47542->47545 47546 41beac 47543->47546 47547 40ea24 47545->47547 47548 401fe2 28 API calls 47546->47548 47558 40fb17 47547->47558 47550 41beb5 47548->47550 47549 401fe2 28 API calls 47551 41be2e 47549->47551 47552 401fd8 11 API calls 47550->47552 47551->47541 47551->47549 47553 401fd8 11 API calls 47551->47553 47557 41be9e 47551->47557 47982 4041a2 47551->47982 47985 41ce34 28 API calls 47551->47985 47554 41bebd 47552->47554 47553->47551 47986 41ce34 28 API calls 47554->47986 47557->47538 47559 40fb23 47558->47559 47561 40fb2a 47558->47561 47993 402163 11 API calls 47559->47993 47561->47224 47563 402163 47562->47563 47564 40219f 47563->47564 47994 402730 11 API calls 47563->47994 47564->47226 47566 402184 47995 402712 11 API calls std::_Deallocate 47566->47995 47569 401e6d 47568->47569 47571 401e75 47569->47571 47996 402158 22 API calls 47569->47996 47571->47232 47574 4020df 11 API calls 47573->47574 47575 40532a 47574->47575 47997 4032a0 47575->47997 47577 405346 47577->47239 48002 4051ef 47578->48002 47580 406391 48006 402055 47580->48006 47583 401fe2 47584 401ff1 47583->47584 47591 402039 47583->47591 47585 4023ce 11 API calls 47584->47585 47586 401ffa 47585->47586 47587 40203c 47586->47587 47588 402015 47586->47588 47589 40267a 11 API calls 47587->47589 48040 403098 28 API calls 47588->48040 47589->47591 47592 401fd8 47591->47592 47593 4023ce 11 API calls 47592->47593 47594 401fe1 47593->47594 47594->47251 47596 401fd2 47595->47596 47597 401fc9 47595->47597 47596->47257 48041 4025e0 28 API calls 47597->48041 48042 401fab 47599->48042 47601 40d073 CreateMutexA GetLastError 47601->47273 48043 41bfb7 47602->48043 47607 401fe2 28 API calls 47608 41b2ff 47607->47608 47609 401fd8 11 API calls 47608->47609 47610 41b307 47609->47610 47611 4135a6 31 API calls 47610->47611 47612 41b35d 47610->47612 47613 41b330 47611->47613 47612->47280 47614 41b33b StrToIntA 47613->47614 47615 41b352 47614->47615 47616 41b349 47614->47616 47617 401fd8 11 API calls 47615->47617 48052 41cf69 22 API calls 47616->48052 47617->47612 47620 40772a 47619->47620 47621 413549 3 API calls 47620->47621 47622 407731 47621->47622 47622->47290 47622->47291 47624 41bc72 47623->47624 48053 40b904 47624->48053 47626 41bc7a 47626->47308 47628 401f22 47627->47628 47629 401f6a 47627->47629 47630 402252 11 API calls 47628->47630 47636 401f09 47629->47636 47631 401f2b 47630->47631 47632 401f6d 47631->47632 47634 401f46 47631->47634 48086 402336 47632->48086 48085 40305c 28 API calls 47634->48085 47637 402252 11 API calls 47636->47637 47638 401f12 47637->47638 47638->47319 47640 413965 47639->47640 47641 406dd8 28 API calls 47640->47641 47642 41397a 47641->47642 47643 4020f6 28 API calls 47642->47643 47644 41398a 47643->47644 47645 41376f 14 API calls 47644->47645 47646 413994 47645->47646 47647 401fd8 11 API calls 47646->47647 47648 4139a1 47647->47648 47648->47369 47650 40209b 47649->47650 47651 4023ce 11 API calls 47650->47651 47652 4020a6 47651->47652 48090 4024ed 47652->48090 47656 4137bf 47655->47656 47658 413788 47655->47658 47657 401fd8 11 API calls 47656->47657 47659 40ef9e 47657->47659 47660 41379a RegSetValueExA RegCloseKey 47658->47660 47659->47370 47660->47656 47662 43bac5 _strftime 47661->47662 48094 43ae03 47662->48094 47664 40efb7 47664->47377 47664->47378 47666 41b5a0 47665->47666 47667 41b505 GetLocalTime 47665->47667 47669 401fd8 11 API calls 47666->47669 47668 40531e 28 API calls 47667->47668 47670 41b547 47668->47670 47671 41b5a8 47669->47671 47672 406383 28 API calls 47670->47672 47673 401fd8 11 API calls 47671->47673 47674 41b553 47672->47674 47675 40f00d 47673->47675 48122 402f10 47674->48122 47675->47394 47678 406383 28 API calls 47679 41b56b 47678->47679 48127 407200 77 API calls 47679->48127 47681 41b579 47682 401fd8 11 API calls 47681->47682 47683 41b585 47682->47683 47684 401fd8 11 API calls 47683->47684 47685 41b58e 47684->47685 47686 401fd8 11 API calls 47685->47686 47687 41b597 47686->47687 47688 401fd8 11 API calls 47687->47688 47688->47666 47690 409e02 _wcslen 47689->47690 47691 409e24 47690->47691 47692 409e0d 47690->47692 47694 40da34 32 API calls 47691->47694 47693 40da34 32 API calls 47692->47693 47695 409e15 47693->47695 47696 409e2c 47694->47696 47697 401f13 28 API calls 47695->47697 47698 401f13 28 API calls 47696->47698 47699 409e1f 47697->47699 47700 409e3a 47698->47700 47702 401f09 11 API calls 47699->47702 47701 401f09 11 API calls 47700->47701 47703 409e42 47701->47703 47704 409e79 47702->47704 48146 40915b 28 API calls 47703->48146 48131 40a109 47704->48131 47707 409e54 48147 403014 47707->48147 47711 401f13 28 API calls 47712 409e69 47711->47712 47713 401f09 11 API calls 47712->47713 47713->47699 48199 40417e 47714->48199 47719 403014 28 API calls 47720 41b672 47719->47720 47721 401f09 11 API calls 47720->47721 47722 41b67b 47721->47722 47723 401f09 11 API calls 47722->47723 47724 40f223 47723->47724 47724->47447 47726 413520 RegQueryValueExA RegCloseKey 47725->47726 47727 40f2e4 47725->47727 47726->47727 47727->47320 47727->47475 47729 40f392 47728->47729 47730 413a3f RegDeleteValueW 47728->47730 47729->47314 47730->47729 47732 40dd5b 47731->47732 47733 4134ff 3 API calls 47732->47733 47734 40dd62 47733->47734 47738 40dd81 47734->47738 48293 401707 47734->48293 47736 40dd6f 48296 413877 RegCreateKeyA 47736->48296 47739 414f2a 47738->47739 47740 4020df 11 API calls 47739->47740 47741 414f3e 47740->47741 48310 41b8b3 47741->48310 47744 4020df 11 API calls 47745 414f54 47744->47745 47746 401e65 22 API calls 47745->47746 47747 414f62 47746->47747 47748 43baac _strftime 40 API calls 47747->47748 47749 414f6f 47748->47749 47750 414f81 47749->47750 47751 414f74 Sleep 47749->47751 47752 402093 28 API calls 47750->47752 47751->47750 47753 414f90 47752->47753 47754 401e65 22 API calls 47753->47754 47755 414f99 47754->47755 47756 4020f6 28 API calls 47755->47756 47757 414fa4 47756->47757 47758 41be1b 28 API calls 47757->47758 47759 414fac 47758->47759 48314 40489e WSAStartup 47759->48314 47761 414fb6 47762 401e65 22 API calls 47761->47762 47763 414fbf 47762->47763 47764 401e65 22 API calls 47763->47764 47813 41503e 47763->47813 47765 414fd8 47764->47765 47766 401e65 22 API calls 47765->47766 47767 414fe9 47766->47767 47770 401e65 22 API calls 47767->47770 47768 41be1b 28 API calls 47768->47813 47769 401e65 22 API calls 47769->47813 47771 414ffa 47770->47771 47772 401e65 22 API calls 47771->47772 47774 41500b 47772->47774 47773 406c1e 28 API calls 47773->47813 47776 401e65 22 API calls 47774->47776 47775 401fe2 28 API calls 47775->47813 47777 41501c 47776->47777 47778 401e65 22 API calls 47777->47778 47779 41502e 47778->47779 48459 40473d 89 API calls 47779->48459 47781 402093 28 API calls 47781->47813 47782 41b4ef 80 API calls 47782->47813 47784 41518c WSAGetLastError 48460 41cae1 30 API calls 47784->48460 47789 402093 28 API calls 47791 41519c 47789->47791 47791->47789 47792 41b4ef 80 API calls 47791->47792 47795 401e8d 11 API calls 47791->47795 47796 401e65 22 API calls 47791->47796 47798 43baac _strftime 40 API calls 47791->47798 47791->47813 47833 415a71 CreateThread 47791->47833 47834 401fd8 11 API calls 47791->47834 47835 401f09 11 API calls 47791->47835 48461 4052fd 28 API calls 47791->48461 48463 40b051 85 API calls 47791->48463 48464 404e26 99 API calls 47791->48464 47792->47791 47794 40531e 28 API calls 47794->47813 47795->47791 47796->47791 47797 402f10 28 API calls 47797->47813 47799 415acf Sleep 47798->47799 47799->47791 47800 406383 28 API calls 47800->47813 47801 401fd8 11 API calls 47801->47813 47804 40905c 28 API calls 47804->47813 47806 4020f6 28 API calls 47806->47813 47807 4136f8 3 API calls 47807->47813 47808 4135a6 31 API calls 47808->47813 47809 40417e 28 API calls 47809->47813 47813->47768 47813->47769 47813->47773 47813->47775 47813->47781 47813->47782 47813->47784 47813->47791 47813->47794 47813->47797 47813->47800 47813->47801 47813->47804 47813->47806 47813->47807 47813->47808 47813->47809 47815 401e65 22 API calls 47813->47815 48315 414ee9 47813->48315 48320 40482d 47813->48320 48327 404f51 47813->48327 48342 4048c8 connect 47813->48342 48402 41b7e0 47813->48402 48405 4145bd 47813->48405 48408 441e81 47813->48408 48412 40dd89 47813->48412 48418 41bc42 47813->48418 48421 41bd1e 47813->48421 48425 41bb8e 47813->48425 47816 415439 GetTickCount 47815->47816 47817 41bb8e 28 API calls 47816->47817 47828 415456 47817->47828 47819 41bb8e 28 API calls 47819->47828 47821 41bd1e 28 API calls 47821->47828 47824 406383 28 API calls 47824->47828 47825 402f10 28 API calls 47825->47828 47826 402ea1 28 API calls 47826->47828 47828->47819 47828->47821 47828->47824 47828->47825 47828->47826 47829 401fd8 11 API calls 47828->47829 47830 401f09 11 API calls 47828->47830 48430 41bae6 GetLastInputInfo GetTickCount 47828->48430 48431 41ba96 47828->48431 48436 40f8d1 GetLocaleInfoA 47828->48436 48439 402f31 28 API calls 47828->48439 48440 404c10 47828->48440 48462 404aa1 61 API calls _Yarn 47828->48462 47829->47828 47830->47828 47833->47791 48624 41ad17 106 API calls 47833->48624 47834->47791 47835->47791 47836->47231 47837->47240 47838->47244 47841 4020df 11 API calls 47840->47841 47842 406c2a 47841->47842 47843 4032a0 28 API calls 47842->47843 47844 406c47 47843->47844 47844->47265 47846 413573 RegQueryValueExA RegCloseKey 47845->47846 47847 40eba4 47845->47847 47846->47847 47847->47262 47847->47279 47848->47269 47849->47298 47850->47291 47851->47282 47852->47296 48625 401f86 47853->48625 47856 40da70 48629 41b5b4 29 API calls 47856->48629 47857 40daa5 47861 41bfb7 2 API calls 47857->47861 47858 40da66 47860 40db99 GetLongPathNameW 47858->47860 47863 40417e 28 API calls 47860->47863 47864 40daaa 47861->47864 47862 40da79 47865 401f13 28 API calls 47862->47865 47866 40dbae 47863->47866 47867 40db00 47864->47867 47868 40daae 47864->47868 47906 40da83 47865->47906 47869 40417e 28 API calls 47866->47869 47870 40417e 28 API calls 47867->47870 47871 40417e 28 API calls 47868->47871 47872 40dbbd 47869->47872 47873 40db0e 47870->47873 47874 40dabc 47871->47874 48632 40ddd1 28 API calls 47872->48632 47878 40417e 28 API calls 47873->47878 47879 40417e 28 API calls 47874->47879 47875 401f09 11 API calls 47875->47858 47877 40dbd0 48633 402fa5 28 API calls 47877->48633 47882 40db24 47878->47882 47883 40dad2 47879->47883 47881 40dbdb 48634 402fa5 28 API calls 47881->48634 48631 402fa5 28 API calls 47882->48631 48630 402fa5 28 API calls 47883->48630 47887 40dbe5 47890 401f09 11 API calls 47887->47890 47888 40db2f 47891 401f13 28 API calls 47888->47891 47889 40dadd 47892 401f13 28 API calls 47889->47892 47893 40dbef 47890->47893 47894 40db3a 47891->47894 47895 40dae8 47892->47895 47896 401f09 11 API calls 47893->47896 47897 401f09 11 API calls 47894->47897 47898 401f09 11 API calls 47895->47898 47899 40dbf8 47896->47899 47900 40db43 47897->47900 47901 40daf1 47898->47901 47902 401f09 11 API calls 47899->47902 47903 401f09 11 API calls 47900->47903 47904 401f09 11 API calls 47901->47904 47905 40dc01 47902->47905 47903->47906 47904->47906 47907 401f09 11 API calls 47905->47907 47906->47875 47908 40dc0a 47907->47908 47909 401f09 11 API calls 47908->47909 47910 40dc13 47909->47910 47910->47354 47911->47367 47912->47390 47914 413742 47913->47914 47915 41371e RegQueryValueExA RegCloseKey 47913->47915 47914->47348 47915->47914 47916->47382 47917->47418 47918->47429 47919->47451 47920->47440 47922->47484 47923->47289 47926 41b4c5 LoadResource LockResource SizeofResource 47925->47926 47927 40f3de 47925->47927 47926->47927 47928 43bd51 47927->47928 47933 446137 __Getctype 47928->47933 47929 446175 47945 4405dd 20 API calls __dosmaperr 47929->47945 47930 446160 RtlAllocateHeap 47932 446173 47930->47932 47930->47933 47932->47519 47933->47929 47933->47930 47944 442f80 7 API calls 2 library calls 47933->47944 47936 4020bf 47935->47936 47946 4023ce 47936->47946 47938 4020ca 47950 40250a 47938->47950 47940 4020d9 47940->47522 47942 4020b7 28 API calls 47941->47942 47943 406dec 47942->47943 47943->47529 47944->47933 47945->47932 47947 402428 47946->47947 47948 4023d8 47946->47948 47947->47938 47948->47947 47957 4027a7 11 API calls std::_Deallocate 47948->47957 47951 40251a 47950->47951 47952 402520 47951->47952 47953 402535 47951->47953 47958 402569 47952->47958 47968 4028e8 28 API calls 47953->47968 47956 402533 47956->47940 47957->47947 47969 402888 47958->47969 47960 40257d 47961 402592 47960->47961 47962 4025a7 47960->47962 47974 402a34 22 API calls 47961->47974 47976 4028e8 28 API calls 47962->47976 47965 40259b 47975 4029da 22 API calls 47965->47975 47967 4025a5 47967->47956 47968->47956 47970 402890 47969->47970 47971 402898 47970->47971 47977 402ca3 22 API calls 47970->47977 47971->47960 47974->47965 47975->47967 47976->47967 47979 4020e7 47978->47979 47980 4023ce 11 API calls 47979->47980 47981 4020f2 47980->47981 47981->47551 47987 40423a 47982->47987 47985->47551 47986->47557 47988 404243 47987->47988 47989 4023ce 11 API calls 47988->47989 47990 40424e 47989->47990 47991 402569 28 API calls 47990->47991 47992 4041b5 47991->47992 47992->47551 47993->47561 47994->47566 47995->47564 47998 4032aa 47997->47998 48000 4032c9 47998->48000 48001 4028e8 28 API calls 47998->48001 48000->47577 48001->48000 48003 4051fb 48002->48003 48012 405274 48003->48012 48005 405208 48005->47580 48007 402061 48006->48007 48008 4023ce 11 API calls 48007->48008 48009 40207b 48008->48009 48036 40267a 48009->48036 48013 405282 48012->48013 48014 405288 48013->48014 48015 40529e 48013->48015 48023 4025f0 48014->48023 48016 4052f5 48015->48016 48017 4052b6 48015->48017 48033 4028a4 22 API calls 48016->48033 48022 40529c 48017->48022 48032 4028e8 28 API calls 48017->48032 48022->48005 48024 402888 22 API calls 48023->48024 48025 402602 48024->48025 48026 402672 48025->48026 48028 402629 48025->48028 48035 4028a4 22 API calls 48026->48035 48031 40263b 48028->48031 48034 4028e8 28 API calls 48028->48034 48031->48022 48032->48022 48034->48031 48037 40268b 48036->48037 48038 4023ce 11 API calls 48037->48038 48039 40208d 48038->48039 48039->47583 48040->47591 48041->47596 48044 41bfc4 GetCurrentProcess IsWow64Process 48043->48044 48045 41b2d1 48043->48045 48044->48045 48046 41bfdb 48044->48046 48047 4135a6 RegOpenKeyExA 48045->48047 48046->48045 48048 4135d4 RegQueryValueExA RegCloseKey 48047->48048 48049 4135fe 48047->48049 48048->48049 48050 402093 28 API calls 48049->48050 48051 413613 48050->48051 48051->47607 48052->47615 48054 40b90c 48053->48054 48059 402252 48054->48059 48056 40b917 48063 40b92c 48056->48063 48058 40b926 48058->47626 48060 4022ac 48059->48060 48061 40225c 48059->48061 48060->48056 48061->48060 48070 402779 11 API calls std::_Deallocate 48061->48070 48064 40b966 48063->48064 48065 40b938 48063->48065 48082 4028a4 22 API calls 48064->48082 48071 4027e6 48065->48071 48069 40b942 48069->48058 48070->48060 48072 4027ef 48071->48072 48073 402851 48072->48073 48074 4027f9 48072->48074 48084 4028a4 22 API calls 48073->48084 48077 402802 48074->48077 48079 402815 48074->48079 48083 402aea 28 API calls __EH_prolog 48077->48083 48080 402813 48079->48080 48081 402252 11 API calls 48079->48081 48080->48069 48081->48080 48083->48080 48085->47629 48087 402347 48086->48087 48088 402252 11 API calls 48087->48088 48089 4023c7 48088->48089 48089->47629 48091 4024f9 48090->48091 48092 40250a 28 API calls 48091->48092 48093 4020b1 48092->48093 48093->47359 48110 43ba0a 48094->48110 48096 43ae50 48116 43a7b7 36 API calls 2 library calls 48096->48116 48097 43ae15 48097->48096 48098 43ae2a 48097->48098 48101 43ae2f _strftime 48097->48101 48115 4405dd 20 API calls __dosmaperr 48098->48115 48101->47664 48103 43ae5c 48104 43ae8b 48103->48104 48117 43ba4f 40 API calls __Toupper 48103->48117 48105 43aef7 48104->48105 48118 43b9b6 20 API calls 2 library calls 48104->48118 48119 43b9b6 20 API calls 2 library calls 48105->48119 48108 43afbe _strftime 48108->48101 48120 4405dd 20 API calls __dosmaperr 48108->48120 48111 43ba22 48110->48111 48112 43ba0f 48110->48112 48111->48097 48121 4405dd 20 API calls __dosmaperr 48112->48121 48114 43ba14 _strftime 48114->48097 48115->48101 48116->48103 48117->48103 48118->48105 48119->48108 48120->48101 48121->48114 48128 401fb0 48122->48128 48124 402f1e 48125 402055 11 API calls 48124->48125 48126 402f2d 48125->48126 48126->47678 48127->47681 48129 4025f0 28 API calls 48128->48129 48130 401fbd 48129->48130 48130->48124 48132 40a127 48131->48132 48133 413549 3 API calls 48132->48133 48134 40a12e 48133->48134 48135 40a142 48134->48135 48136 40a15c 48134->48136 48137 409e9b 48135->48137 48138 40a147 48135->48138 48139 40905c 28 API calls 48136->48139 48137->47413 48152 40905c 48138->48152 48141 40a16a 48139->48141 48159 40a179 86 API calls 48141->48159 48145 40a15a 48145->48137 48146->47707 48176 403222 48147->48176 48149 403022 48180 403262 48149->48180 48153 409072 48152->48153 48154 402252 11 API calls 48153->48154 48155 40908c 48154->48155 48160 404267 48155->48160 48157 40909a 48158 40a22d 29 API calls 48157->48158 48158->48145 48172 40a273 164 API calls 48158->48172 48159->48137 48173 40a267 86 API calls 48159->48173 48174 40a289 49 API calls 48159->48174 48175 40a27d 129 API calls 48159->48175 48161 402888 22 API calls 48160->48161 48162 40427b 48161->48162 48163 404290 48162->48163 48164 4042a5 48162->48164 48170 4042df 22 API calls 48163->48170 48166 4027e6 28 API calls 48164->48166 48169 4042a3 48166->48169 48167 404299 48171 402c48 22 API calls 48167->48171 48169->48157 48170->48167 48171->48169 48177 40322e 48176->48177 48186 403618 48177->48186 48179 40323b 48179->48149 48181 40326e 48180->48181 48182 402252 11 API calls 48181->48182 48183 403288 48182->48183 48184 402336 11 API calls 48183->48184 48185 403031 48184->48185 48185->47711 48187 403626 48186->48187 48188 403644 48187->48188 48189 40362c 48187->48189 48191 40365c 48188->48191 48192 40369e 48188->48192 48197 4036a6 28 API calls 48189->48197 48195 4027e6 28 API calls 48191->48195 48196 403642 48191->48196 48198 4028a4 22 API calls 48192->48198 48195->48196 48196->48179 48197->48196 48200 404186 48199->48200 48201 402252 11 API calls 48200->48201 48202 404191 48201->48202 48210 4041bc 48202->48210 48205 4042fc 48221 404353 48205->48221 48207 40430a 48208 403262 11 API calls 48207->48208 48209 404319 48208->48209 48209->47719 48211 4041c8 48210->48211 48214 4041d9 48211->48214 48213 40419c 48213->48205 48215 4041e9 48214->48215 48216 404206 48215->48216 48217 4041ef 48215->48217 48218 4027e6 28 API calls 48216->48218 48219 404267 28 API calls 48217->48219 48220 404204 48218->48220 48219->48220 48220->48213 48222 40435f 48221->48222 48225 404371 48222->48225 48224 40436d 48224->48207 48226 40437f 48225->48226 48227 404385 48226->48227 48228 40439e 48226->48228 48291 4034e6 28 API calls 48227->48291 48229 402888 22 API calls 48228->48229 48230 4043a6 48229->48230 48232 404419 48230->48232 48233 4043bf 48230->48233 48292 4028a4 22 API calls 48232->48292 48235 4027e6 28 API calls 48233->48235 48244 40439c 48233->48244 48235->48244 48244->48224 48291->48244 48299 43aa9a 48293->48299 48297 4138b9 48296->48297 48298 41388f RegSetValueExA RegCloseKey 48296->48298 48297->47738 48298->48297 48302 43aa1b 48299->48302 48301 40170d 48301->47736 48303 43aa2a 48302->48303 48304 43aa3e 48302->48304 48308 4405dd 20 API calls __dosmaperr 48303->48308 48307 43aa2f __alldvrm _strftime 48304->48307 48309 448957 11 API calls 2 library calls 48304->48309 48307->48301 48308->48307 48309->48307 48311 41b8f9 _Yarn ___scrt_fastfail 48310->48311 48312 402093 28 API calls 48311->48312 48313 414f49 48312->48313 48313->47744 48314->47761 48316 414f02 getaddrinfo WSASetLastError 48315->48316 48317 414ef8 48315->48317 48316->47813 48465 414d86 29 API calls ___std_exception_copy 48317->48465 48319 414efd 48319->48316 48321 404846 socket 48320->48321 48322 404839 48320->48322 48324 404860 CreateEventW 48321->48324 48325 404842 48321->48325 48466 40489e WSAStartup 48322->48466 48324->47813 48325->47813 48326 40483e 48326->48321 48326->48325 48328 404f65 48327->48328 48329 404fea 48327->48329 48330 404f6e 48328->48330 48331 404fc0 CreateEventA CreateThread 48328->48331 48332 404f7d GetLocalTime 48328->48332 48329->47813 48330->48331 48331->48329 48468 405150 48331->48468 48333 41bb8e 28 API calls 48332->48333 48334 404f91 48333->48334 48467 4052fd 28 API calls 48334->48467 48343 404a1b 48342->48343 48344 4048ee 48342->48344 48345 40497e 48343->48345 48346 404a21 WSAGetLastError 48343->48346 48344->48345 48348 40531e 28 API calls 48344->48348 48368 404923 48344->48368 48345->47813 48346->48345 48347 404a31 48346->48347 48349 404a36 48347->48349 48358 404932 48347->48358 48351 40490f 48348->48351 48477 41cae1 30 API calls 48349->48477 48355 402093 28 API calls 48351->48355 48353 40492b 48357 404941 48353->48357 48353->48358 48354 402093 28 API calls 48359 404a80 48354->48359 48360 40491e 48355->48360 48356 404a40 48478 4052fd 28 API calls 48356->48478 48365 404950 48357->48365 48366 404987 48357->48366 48358->48354 48362 402093 28 API calls 48359->48362 48363 41b4ef 80 API calls 48360->48363 48367 404a8f 48362->48367 48363->48368 48370 402093 28 API calls 48365->48370 48474 421a40 54 API calls 48366->48474 48371 41b4ef 80 API calls 48367->48371 48472 420c60 27 API calls 48368->48472 48374 40495f 48370->48374 48371->48345 48377 402093 28 API calls 48374->48377 48375 40498f 48378 4049c4 48375->48378 48379 404994 48375->48379 48381 40496e 48377->48381 48476 420e06 28 API calls 48378->48476 48383 402093 28 API calls 48379->48383 48385 41b4ef 80 API calls 48381->48385 48387 4049a3 48383->48387 48389 404973 48385->48389 48386 4049cc 48390 4049f9 CreateEventW CreateEventW 48386->48390 48392 402093 28 API calls 48386->48392 48388 402093 28 API calls 48387->48388 48391 4049b2 48388->48391 48473 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48389->48473 48390->48345 48393 41b4ef 80 API calls 48391->48393 48395 4049e2 48392->48395 48396 4049b7 48393->48396 48397 402093 28 API calls 48395->48397 48475 4210b2 52 API calls 48396->48475 48399 4049f1 48397->48399 48400 41b4ef 80 API calls 48399->48400 48401 4049f6 48400->48401 48401->48390 48479 41b7b6 GlobalMemoryStatusEx 48402->48479 48404 41b7f5 48404->47813 48480 414580 48405->48480 48409 441e8d 48408->48409 48518 441c7d 48409->48518 48411 441eae 48411->47813 48413 40dda5 48412->48413 48414 4134ff 3 API calls 48413->48414 48416 40ddac 48414->48416 48415 40ddc4 48415->47813 48416->48415 48417 413549 3 API calls 48416->48417 48417->48415 48419 4020b7 28 API calls 48418->48419 48420 41bc57 48419->48420 48420->47813 48422 41bd2b 48421->48422 48423 4020b7 28 API calls 48422->48423 48424 41bd3d 48423->48424 48424->47813 48426 441e81 20 API calls 48425->48426 48427 41bbb2 48426->48427 48428 402093 28 API calls 48427->48428 48429 41bbc0 48428->48429 48429->47813 48430->47828 48432 436e90 ___scrt_fastfail 48431->48432 48433 41bab5 GetForegroundWindow GetWindowTextW 48432->48433 48434 40417e 28 API calls 48433->48434 48435 41badf 48434->48435 48435->47828 48437 402093 28 API calls 48436->48437 48438 40f8f6 48437->48438 48438->47828 48439->47828 48441 4020df 11 API calls 48440->48441 48442 404c27 48441->48442 48443 4020df 11 API calls 48442->48443 48454 404c30 48443->48454 48444 43bd51 _Yarn 21 API calls 48444->48454 48446 404c96 48448 404ca1 48446->48448 48446->48454 48447 4020b7 28 API calls 48447->48454 48536 404e26 99 API calls 48448->48536 48449 401fe2 28 API calls 48449->48454 48451 401fd8 11 API calls 48451->48454 48452 404ca8 48453 401fd8 11 API calls 48452->48453 48455 404cb1 48453->48455 48454->48444 48454->48446 48454->48447 48454->48449 48454->48451 48523 404cc3 48454->48523 48535 404b96 57 API calls 48454->48535 48456 401fd8 11 API calls 48455->48456 48457 404cba 48456->48457 48457->47791 48459->47813 48460->47791 48462->47828 48463->47791 48464->47791 48465->48319 48466->48326 48471 40515c 102 API calls 48468->48471 48470 405159 48471->48470 48472->48353 48473->48345 48474->48375 48475->48389 48476->48386 48477->48356 48479->48404 48483 414553 48480->48483 48484 414568 ___scrt_initialize_default_local_stdio_options 48483->48484 48487 43f79d 48484->48487 48490 43c4f0 48487->48490 48491 43c530 48490->48491 48492 43c518 48490->48492 48491->48492 48494 43c538 48491->48494 48512 4405dd 20 API calls __dosmaperr 48492->48512 48513 43a7b7 36 API calls 2 library calls 48494->48513 48495 43c51d _strftime 48505 434fcb 48495->48505 48497 43c548 48514 43cc76 20 API calls 2 library calls 48497->48514 48500 414576 48500->47813 48501 43c5c0 48515 43d2e4 51 API calls 3 library calls 48501->48515 48504 43c5cb 48516 43cce0 20 API calls _free 48504->48516 48506 434fd6 IsProcessorFeaturePresent 48505->48506 48507 434fd4 48505->48507 48509 435018 48506->48509 48507->48500 48517 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48509->48517 48511 4350fb 48511->48500 48512->48495 48513->48497 48514->48501 48515->48504 48516->48495 48517->48511 48519 441c94 48518->48519 48521 441ccb _strftime 48519->48521 48522 4405dd 20 API calls __dosmaperr 48519->48522 48521->48411 48522->48521 48524 4020df 11 API calls 48523->48524 48532 404cde 48524->48532 48525 404e13 48526 401fd8 11 API calls 48525->48526 48527 404e1c 48526->48527 48527->48446 48528 4041a2 28 API calls 48528->48532 48529 401fe2 28 API calls 48529->48532 48530 4020f6 28 API calls 48530->48532 48531 401fc0 28 API calls 48533 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 48531->48533 48532->48525 48532->48528 48532->48529 48532->48530 48532->48531 48534 401fd8 11 API calls 48532->48534 48533->48532 48537 415aea 48533->48537 48534->48532 48535->48454 48536->48452 48538 4020f6 28 API calls 48537->48538 48539 415b0c SetEvent 48538->48539 48540 415b21 48539->48540 48541 4041a2 28 API calls 48540->48541 48542 415b3b 48541->48542 48543 4020f6 28 API calls 48542->48543 48544 415b4b 48543->48544 48545 4020f6 28 API calls 48544->48545 48546 415b5d 48545->48546 48547 41be1b 28 API calls 48546->48547 48548 415b66 48547->48548 48549 417089 48548->48549 48550 415b86 GetTickCount 48548->48550 48551 415d2f 48548->48551 48552 401e8d 11 API calls 48549->48552 48553 41bb8e 28 API calls 48550->48553 48551->48549 48611 415ce5 48551->48611 48554 417092 48552->48554 48555 415b97 48553->48555 48556 401fd8 11 API calls 48554->48556 48616 41bae6 GetLastInputInfo GetTickCount 48555->48616 48559 41709e 48556->48559 48562 401fd8 11 API calls 48559->48562 48560 415cc9 48560->48549 48561 415ba3 48563 41bb8e 28 API calls 48561->48563 48564 4170aa 48562->48564 48565 415bae 48563->48565 48566 41ba96 30 API calls 48565->48566 48567 415bbc 48566->48567 48568 41bd1e 28 API calls 48567->48568 48569 415bca 48568->48569 48570 401e65 22 API calls 48569->48570 48571 415bd8 48570->48571 48617 402f31 28 API calls 48571->48617 48573 415be6 48618 402ea1 28 API calls 48573->48618 48575 415bf5 48576 402f10 28 API calls 48575->48576 48577 415c04 48576->48577 48619 402ea1 28 API calls 48577->48619 48579 415c13 48580 402f10 28 API calls 48579->48580 48581 415c1f 48580->48581 48620 402ea1 28 API calls 48581->48620 48583 415c29 48621 404aa1 61 API calls _Yarn 48583->48621 48585 415c38 48586 401fd8 11 API calls 48585->48586 48587 415c41 48586->48587 48588 401fd8 11 API calls 48587->48588 48589 415c4d 48588->48589 48590 401fd8 11 API calls 48589->48590 48591 415c59 48590->48591 48592 401fd8 11 API calls 48591->48592 48593 415c65 48592->48593 48594 401fd8 11 API calls 48593->48594 48595 415c71 48594->48595 48596 401fd8 11 API calls 48595->48596 48597 415c7d 48596->48597 48598 401f09 11 API calls 48597->48598 48599 415c86 48598->48599 48600 401fd8 11 API calls 48599->48600 48601 415c8f 48600->48601 48602 401fd8 11 API calls 48601->48602 48603 415c98 48602->48603 48604 401e65 22 API calls 48603->48604 48605 415ca3 48604->48605 48606 43baac _strftime 40 API calls 48605->48606 48607 415cb0 48606->48607 48608 415cb5 48607->48608 48609 415cdb 48607->48609 48612 415cc3 48608->48612 48613 415cce 48608->48613 48610 401e65 22 API calls 48609->48610 48610->48611 48611->48549 48623 4050e4 84 API calls 48611->48623 48622 404ff4 82 API calls 48612->48622 48614 404f51 105 API calls 48613->48614 48614->48560 48616->48561 48617->48573 48618->48575 48619->48579 48620->48583 48621->48585 48622->48560 48623->48560 48626 401f8e 48625->48626 48627 402252 11 API calls 48626->48627 48628 401f99 48627->48628 48628->47856 48628->47857 48628->47858 48629->47862 48630->47889 48631->47888 48632->47877 48633->47881 48634->47887 48637 40f7c2 48635->48637 48636 413549 3 API calls 48636->48637 48637->48636 48638 40f866 48637->48638 48640 40f856 Sleep 48637->48640 48656 40f7f4 48637->48656 48641 40905c 28 API calls 48638->48641 48639 40905c 28 API calls 48639->48656 48640->48637 48644 40f871 48641->48644 48643 41bc5e 28 API calls 48643->48656 48645 41bc5e 28 API calls 48644->48645 48646 40f87d 48645->48646 48670 413814 14 API calls 48646->48670 48649 401f09 11 API calls 48649->48656 48650 40f890 48651 401f09 11 API calls 48650->48651 48653 40f89c 48651->48653 48652 402093 28 API calls 48652->48656 48654 402093 28 API calls 48653->48654 48655 40f8ad 48654->48655 48658 41376f 14 API calls 48655->48658 48656->48639 48656->48640 48656->48643 48656->48649 48656->48652 48657 41376f 14 API calls 48656->48657 48668 40d096 112 API calls ___scrt_fastfail 48656->48668 48669 413814 14 API calls 48656->48669 48657->48656 48659 40f8c0 48658->48659 48671 412850 TerminateProcess WaitForSingleObject 48659->48671 48661 40f8c8 ExitProcess 48672 4127ee 62 API calls 48662->48672 48669->48656 48670->48650 48671->48661 48673 4269e6 48674 4269fb 48673->48674 48684 426a8d 48673->48684 48675 426a7d 48674->48675 48676 426b1d 48674->48676 48680 426af2 48674->48680 48683 426abd 48674->48683 48674->48684 48686 426a48 48674->48686 48688 426b44 48674->48688 48701 424edd 49 API calls _Yarn 48674->48701 48675->48683 48675->48684 48703 424edd 49 API calls _Yarn 48675->48703 48676->48684 48676->48688 48689 425ae1 48676->48689 48680->48676 48705 4256f0 21 API calls 48680->48705 48683->48680 48683->48684 48704 41fb6c 52 API calls 48683->48704 48686->48675 48686->48684 48702 41fb6c 52 API calls 48686->48702 48688->48684 48706 426155 28 API calls 48688->48706 48692 425b00 ___scrt_fastfail 48689->48692 48690 425b0f 48691 425b34 48690->48691 48700 425b14 48690->48700 48708 4205d8 46 API calls 48690->48708 48691->48688 48692->48690 48692->48691 48707 41ebbb 21 API calls 48692->48707 48696 425b1d 48696->48691 48711 424d05 21 API calls 2 library calls 48696->48711 48698 425bb7 48698->48691 48709 432ec4 21 API calls _Yarn 48698->48709 48700->48691 48700->48696 48710 41da5f 49 API calls 48700->48710 48701->48686 48702->48686 48703->48683 48704->48683 48705->48676 48706->48684 48707->48690 48708->48698 48709->48700 48710->48696 48711->48691 48712 415d06 48727 41b380 48712->48727 48714 415d0f 48715 4020f6 28 API calls 48714->48715 48716 415d1e 48715->48716 48738 404aa1 61 API calls _Yarn 48716->48738 48718 415d2a 48719 417089 48718->48719 48720 401fd8 11 API calls 48718->48720 48721 401e8d 11 API calls 48719->48721 48720->48719 48722 417092 48721->48722 48723 401fd8 11 API calls 48722->48723 48724 41709e 48723->48724 48725 401fd8 11 API calls 48724->48725 48726 4170aa 48725->48726 48728 4020df 11 API calls 48727->48728 48729 41b38e 48728->48729 48730 43bd51 _Yarn 21 API calls 48729->48730 48731 41b39e InternetOpenW InternetOpenUrlW 48730->48731 48732 41b3c5 InternetReadFile 48731->48732 48736 41b3e8 48732->48736 48733 41b415 InternetCloseHandle InternetCloseHandle 48735 41b427 48733->48735 48734 4020b7 28 API calls 48734->48736 48735->48714 48736->48732 48736->48733 48736->48734 48737 401fd8 11 API calls 48736->48737 48737->48736 48738->48718 48739 426c4b 48744 426cc8 send 48739->48744 48745 43be58 48746 43be64 _swprintf ___DestructExceptionObject 48745->48746 48747 43be72 48746->48747 48749 43be9c 48746->48749 48761 4405dd 20 API calls __dosmaperr 48747->48761 48756 445888 EnterCriticalSection 48749->48756 48751 43bea7 48757 43bf48 48751->48757 48752 43be77 _strftime ___DestructExceptionObject 48756->48751 48759 43bf56 48757->48759 48758 43beb2 48762 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48758->48762 48759->48758 48763 44976c 37 API calls 2 library calls 48759->48763 48761->48752 48762->48752 48763->48759 48764 41dfbd 48765 41dfd2 _Yarn ___scrt_fastfail 48764->48765 48777 41e1d5 48765->48777 48783 432ec4 21 API calls _Yarn 48765->48783 48768 41e1e6 48770 41e189 48768->48770 48779 432ec4 21 API calls _Yarn 48768->48779 48769 41e182 ___scrt_fastfail 48769->48770 48784 432ec4 21 API calls _Yarn 48769->48784 48773 41e21f ___scrt_fastfail 48773->48770 48780 43354a 48773->48780 48775 41e1af ___scrt_fastfail 48775->48770 48785 432ec4 21 API calls _Yarn 48775->48785 48777->48770 48778 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 48777->48778 48778->48768 48779->48773 48786 433469 48780->48786 48782 433552 48782->48770 48783->48769 48784->48775 48785->48777 48787 433482 48786->48787 48790 433478 48786->48790 48787->48790 48792 432ec4 21 API calls _Yarn 48787->48792 48789 4334a3 48789->48790 48793 433837 CryptAcquireContextA 48789->48793 48790->48782 48792->48789 48794 433853 48793->48794 48795 433858 CryptGenRandom 48793->48795 48794->48790 48795->48794 48796 43386d CryptReleaseContext 48795->48796 48796->48794 48797 426bdc 48803 426cb1 recv 48797->48803 48804 42f8ed 48805 42f8f8 48804->48805 48807 42f90c 48805->48807 48808 432eee 48805->48808 48809 432ef9 48808->48809 48810 432efd 48808->48810 48809->48807 48812 440f0d 48810->48812 48813 446185 48812->48813 48814 446192 48813->48814 48815 44619d 48813->48815 48825 446137 48814->48825 48817 4461a5 48815->48817 48823 4461ae __Getctype 48815->48823 48832 446782 48817->48832 48818 4461b3 48838 4405dd 20 API calls __dosmaperr 48818->48838 48819 4461d8 HeapReAlloc 48822 44619a 48819->48822 48819->48823 48822->48809 48823->48818 48823->48819 48839 442f80 7 API calls 2 library calls 48823->48839 48826 446175 48825->48826 48830 446145 __Getctype 48825->48830 48841 4405dd 20 API calls __dosmaperr 48826->48841 48827 446160 RtlAllocateHeap 48829 446173 48827->48829 48827->48830 48829->48822 48830->48826 48830->48827 48840 442f80 7 API calls 2 library calls 48830->48840 48833 44678d RtlFreeHeap 48832->48833 48834 4467b6 __dosmaperr 48832->48834 48833->48834 48835 4467a2 48833->48835 48834->48822 48842 4405dd 20 API calls __dosmaperr 48835->48842 48837 4467a8 GetLastError 48837->48834 48838->48822 48839->48823 48840->48830 48841->48829 48842->48837

                                    Executed Functions

                                    Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                    • API String ID: 4236061018-3687161714
                                    • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                    • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                    • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                    Function 0040E9C5 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 101 40f34f-40f36a call 401fab call 4139a9 call 412475 69->101 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 89 40ec13-40ec1a 80->89 90 40ec0c-40ec0e 80->90 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 89->95 96 40ec1e-40ec2a call 41b2c3 89->96 94 40eef1 90->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 101->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->127 128 40ec8b call 407755 107->128 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 140->107 143 40ec69-40ec6f 140->143 143->107 147 40ec71 call 407260 143->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 191 40ee1e-40ee42 call 40247c call 434798 184->191 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 205->177 218 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 212->218 213->218 273 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 218->273 287 40efc1 236->287 288 40efdc-40efde 236->288 273->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 273->286 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 402 40f240-40f241 SetProcessDEPPolicy 380->402 403 40f243-40f256 CreateThread 380->403 402->403 404 40f264-40f26b 403->404 405 40f258-40f262 CreateThread 403->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                    APIs
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                      • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                      • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                      • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe,00000104), ref: 0040E9EE
                                      • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                    • String ID: 8)b$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-R2I0JW$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                    • API String ID: 2830904901-4066756432
                                    • Opcode ID: cc67e54aedd94bd188949fffc6f37dabdb480af775679b2e47580a4ac9d4071a
                                    • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                    • Opcode Fuzzy Hash: cc67e54aedd94bd188949fffc6f37dabdb480af775679b2e47580a4ac9d4071a
                                    • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                    Function 0040F7A7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                      • Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                      • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                    • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                    • ExitProcess.KERNEL32 ref: 0040F8CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 5.0.0 Pro$8)b$override$pth_unenc
                                    • API String ID: 2281282204-3982060966
                                    • Opcode ID: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                                    • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                    • Opcode Fuzzy Hash: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                                    • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                    Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1129 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1134 41b3c5-41b3e6 InternetReadFile 1129->1134 1135 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1134->1135 1136 41b40c-41b40f 1134->1136 1135->1136 1137 41b411-41b413 1136->1137 1138 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1136->1138 1137->1134 1137->1138 1142 41b427-41b431 1138->1142
                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: 37211688c0b5698ac0084f66d0ba54e0592879c2b0dd433720555137baf5cf7a
                                    • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                    • Opcode Fuzzy Hash: 37211688c0b5698ac0084f66d0ba54e0592879c2b0dd433720555137baf5cf7a
                                    • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1265 404f51-404f5f 1266 404f65-404f6c 1265->1266 1267 404fea 1265->1267 1269 404f74-404f7b 1266->1269 1270 404f6e-404f72 1266->1270 1268 404fec-404ff1 1267->1268 1271 404fc0-404fe8 CreateEventA CreateThread 1269->1271 1272 404f7d-404fbb GetLocalTime call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1269->1272 1270->1271 1271->1268 1272->1271
                                    APIs
                                    • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 2532271599-1507639952
                                    • Opcode ID: 70ec5357b5270b3dcda54dd920b0034a798e59f343eafcbf38ffbebff9207b28
                                    • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                    • Opcode Fuzzy Hash: 70ec5357b5270b3dcda54dd920b0034a798e59f343eafcbf38ffbebff9207b28
                                    • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                    Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00624610), ref: 00433849
                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                    Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                                    • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Name$ComputerUser
                                    • String ID:
                                    • API String ID: 4229901323-0
                                    • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                    • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                    • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                    • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                    Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                    • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                    Function 00414F2A Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 582 415aa3-415ab5 call 404e26 call 4021fa 561->582 566->582 583 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->583 567->582 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 582->597 598 415add-415ae5 call 401e8d 582->598 648 415380-41538d call 405aa6 583->648 649 415392-4153b9 call 401fab call 4135a6 583->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->582
                                    APIs
                                    • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                    • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$ErrorLastLocalTime
                                    • String ID: | $%I64u$5.0.0 Pro$8)b$8SG$C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-R2I0JW$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                    • API String ID: 524882891-931372545
                                    • Opcode ID: a8c02c22cd3f0494462e374b9ca84dbd644fb02f7d43ecd4982879d3f7b2ef15
                                    • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                    • Opcode Fuzzy Hash: a8c02c22cd3f0494462e374b9ca84dbd644fb02f7d43ecd4982879d3f7b2ef15
                                    • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                    Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-2151626615
                                    • Opcode ID: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                                    • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                    • Opcode Fuzzy Hash: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                                    • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                    Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1000 40da34-40da59 call 401f86 1003 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1000->1003 1004 40da5f 1000->1004 1028 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1003->1028 1006 40da70-40da7e call 41b5b4 call 401f13 1004->1006 1007 40da91-40da96 1004->1007 1008 40db51-40db56 1004->1008 1009 40daa5-40daac call 41bfb7 1004->1009 1010 40da66-40da6b 1004->1010 1011 40db58-40db5d 1004->1011 1012 40da9b-40daa0 1004->1012 1013 40db6e 1004->1013 1014 40db5f-40db64 call 43c0cf 1004->1014 1031 40da83 1006->1031 1015 40db73-40db78 call 43c0cf 1007->1015 1008->1015 1029 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1009->1029 1030 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1009->1030 1010->1015 1011->1015 1012->1015 1013->1015 1024 40db69-40db6c 1014->1024 1025 40db79-40db7e call 409057 1015->1025 1024->1013 1024->1025 1025->1003 1029->1031 1036 40da87-40da8c call 401f09 1030->1036 1031->1036 1036->1003
                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                                    • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                    • Opcode Fuzzy Hash: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                                    • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                    Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1147 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1158 41b35d-41b366 1147->1158 1159 41b31c-41b32b call 4135a6 1147->1159 1160 41b368-41b36d 1158->1160 1161 41b36f 1158->1161 1164 41b330-41b347 call 401fab StrToIntA 1159->1164 1163 41b374-41b37f call 40537d 1160->1163 1161->1163 1169 41b355-41b358 call 401fd8 1164->1169 1170 41b349-41b352 call 41cf69 1164->1170 1169->1158 1170->1169
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                    • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 782494840-2070987746
                                    • Opcode ID: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                                    • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                    • Opcode Fuzzy Hash: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                                    • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                    Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: !D@$NG
                                    • API String ID: 180926312-2721294649
                                    • Opcode ID: 2a5a63d8458b05b04342565ba228e3c05cb97fbcfa9a3854d6513404aed4c3f8
                                    • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                    • Opcode Fuzzy Hash: 2a5a63d8458b05b04342565ba228e3c05cb97fbcfa9a3854d6513404aed4c3f8
                                    • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                    Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1282 41376f-413786 RegCreateKeyA 1283 413788-4137bd call 40247c call 401fab RegSetValueExA RegCloseKey 1282->1283 1284 4137bf 1282->1284 1286 4137c1-4137cf call 401fd8 1283->1286 1284->1286
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                    • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137A6
                                    • RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: pth_unenc
                                    • API String ID: 1818849710-4028850238
                                    • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                    • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                    • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                    • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                    Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                    • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 2579639479-0
                                    • Opcode ID: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                                    • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                    • Opcode Fuzzy Hash: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                                    • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                    Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1340 40d069-40d095 call 401fab CreateMutexA GetLastError
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                    • GetLastError.KERNEL32 ref: 0040D083
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastMutex
                                    • String ID: Rmc-R2I0JW
                                    • API String ID: 1925916568-2751493137
                                    • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                    • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                    • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                    • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                    Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1343 4135a6-4135d2 RegOpenKeyExA 1344 4135d4-4135fc RegQueryValueExA RegCloseKey 1343->1344 1345 413607 1343->1345 1346 413609 1344->1346 1347 4135fe-413605 1344->1347 1345->1346 1348 41360e-41361a call 402093 1346->1348 1347->1348
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                    • RegCloseKey.KERNEL32(?), ref: 004135F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                    • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                    • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                    • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                    Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1351 4136f8-41371c RegOpenKeyExA 1352 413768 1351->1352 1353 41371e-413740 RegQueryValueExA RegCloseKey 1351->1353 1354 41376a-41376e 1352->1354 1353->1352 1355 413742-413766 call 406cb7 call 406d3c 1353->1355 1355->1354
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                    • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                    • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                    • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                    • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                    Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                    • RegCloseKey.KERNEL32(?), ref: 00413592
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                    • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                    • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                    • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                    Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                    • RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                    • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                    • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                    • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                    Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                    • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                    • RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID:
                                    • API String ID: 1818849710-0
                                    • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                    • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                    • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                    • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                    Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: pQG
                                    • API String ID: 176396367-3769108836
                                    • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                    • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                    • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                    • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                    Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID: @
                                    • API String ID: 1890195054-2766056989
                                    • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                    • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                    • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                    • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                    Function 00446185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004461A6
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00432F02,00000000,0000000F,0042F90C,?,?,004319B3,?,?,00000000), ref: 004461E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocAllocate_free
                                    • String ID:
                                    • API String ID: 2447670028-0
                                    • Opcode ID: 0c50226df9aed064d9fc72c30ff8f5201140dd52271d3dd40973ea300b8a0024
                                    • Instruction ID: bbbbf11ac8836aedddebace835184d628c0e8eb9448606daf7135ff7baabef38
                                    • Opcode Fuzzy Hash: 0c50226df9aed064d9fc72c30ff8f5201140dd52271d3dd40973ea300b8a0024
                                    • Instruction Fuzzy Hash: ACF0683120051566BF212A16AD01B6F375D8F83B75F17411BF91466292DE3CD911916F
                                    Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                      • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEventStartupsocket
                                    • String ID:
                                    • API String ID: 1953588214-0
                                    • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                    • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                    • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                    • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                    Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0041BAB8
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ForegroundText
                                    • String ID:
                                    • API String ID: 29597999-0
                                    • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                    • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                    • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                    • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                    Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                    • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                      • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                      • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                      • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                      • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                      • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                      • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                      • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                      • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                    • String ID:
                                    • API String ID: 1170566393-0
                                    • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                    • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                    • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                    • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                    Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                    • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                    • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                    Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Startup
                                    • String ID:
                                    • API String ID: 724789610-0
                                    • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                    • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                    • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                    • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                    Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: send
                                    • String ID:
                                    • API String ID: 2809346765-0
                                    • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                    • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                                    • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                                    • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                                    Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: recv
                                    • String ID:
                                    • API String ID: 1507349165-0
                                    • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                    • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                                    • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                                    • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

                                    Non-executed Functions

                                    Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                      • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C2EC
                                      • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C31C
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C371
                                      • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C3D2
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C3D9
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                    • DeleteFileA.KERNEL32(?), ref: 00408652
                                      • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                      • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                      • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                      • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • Sleep.KERNEL32(000007D0), ref: 004086F8
                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                      • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                    • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                    • API String ID: 1067849700-181434739
                                    • Opcode ID: a70f240359ba1a68c472f995740389da0d47dfedb64d48b38e90ed404f3a4297
                                    • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                    • Opcode Fuzzy Hash: a70f240359ba1a68c472f995740389da0d47dfedb64d48b38e90ed404f3a4297
                                    • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                    • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                    • CloseHandle.KERNEL32 ref: 00405A23
                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                    • CloseHandle.KERNEL32 ref: 00405A45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                    • API String ID: 2994406822-18413064
                                    • Opcode ID: 760f4996ecd9c950b3b283c9084ec50af7159fe22134d94a29047de51833be44
                                    • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                    • Opcode Fuzzy Hash: 760f4996ecd9c950b3b283c9084ec50af7159fe22134d94a29047de51833be44
                                    • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                    Function 004120F7 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00412106
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                    • CloseHandle.KERNEL32(00000000), ref: 00412155
                                    • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: 8)b$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                    • API String ID: 3018269243-4198400310
                                    • Opcode ID: a6f06d6d975461e53999e87d355abb972fdf6fcb2e3af8b957eb56666153e528
                                    • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                    • Opcode Fuzzy Hash: a6f06d6d975461e53999e87d355abb972fdf6fcb2e3af8b957eb56666153e528
                                    • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                    Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                    • FindClose.KERNEL32(00000000), ref: 0040BD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                                    • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                    • Opcode Fuzzy Hash: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                                    • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                    Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 004168C2
                                    • EmptyClipboard.USER32 ref: 004168D0
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                    • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: !D@$hdF
                                    • API String ID: 3520204547-3475379602
                                    • Opcode ID: 251126a187cec31cd5273b3430a1e3e85d5a02b92eef6e9a9353f0c96c5fadc2
                                    • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                    • Opcode Fuzzy Hash: 251126a187cec31cd5273b3430a1e3e85d5a02b92eef6e9a9353f0c96c5fadc2
                                    • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                    Function 0040F474 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                    • String ID: 8)b$C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe
                                    • API String ID: 3756808967-3942534085
                                    • Opcode ID: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                                    • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                    • Opcode Fuzzy Hash: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                                    • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                    Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                    • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                    • FindClose.KERNEL32(00000000), ref: 0040BED0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$File$FirstNext
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 3527384056-432212279
                                    • Opcode ID: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                                    • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                    • Opcode Fuzzy Hash: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                                    • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                    Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                    • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                    • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                    • CloseHandle.KERNEL32(?), ref: 00413465
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 297527592-0
                                    • Opcode ID: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                                    • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                    • Opcode Fuzzy Hash: 7389cf943c6bcf248480826047218ee6b0a919d85f38051736b06d81fd75e68c
                                    • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                    Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                    • API String ID: 0-1861860590
                                    • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                    • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                    • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                    • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                    Function 0041C291 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C2EC
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C31C
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C38E
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C39B
                                      • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C371
                                    • GetLastError.KERNEL32(?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C3BC
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C3D2
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C3D9
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,8)b,004752F0,00000001), ref: 0041C3E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID: 8)b
                                    • API String ID: 2341273852-851702437
                                    • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                    • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                    • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                    • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                    Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 00407521
                                    • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Object_wcslen
                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                    • API String ID: 240030777-3166923314
                                    • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                    • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                    • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                    • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                    Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                    • GetLastError.KERNEL32 ref: 0041A7BB
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: c2c0025c57c9184c186f90ff8c77a7af65f28d98b3056bfc8770941e6fbd2c57
                                    • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                    • Opcode Fuzzy Hash: c2c0025c57c9184c186f90ff8c77a7af65f28d98b3056bfc8770941e6fbd2c57
                                    • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                    Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: (eF$8SG$PXG$PXG$NG$PG
                                    • API String ID: 341183262-875132146
                                    • Opcode ID: fa513e1650efbdfc7118e76635ac31e947360e9aed22bae7ace8eedab739837c
                                    • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                    • Opcode Fuzzy Hash: fa513e1650efbdfc7118e76635ac31e947360e9aed22bae7ace8eedab739837c
                                    • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                    Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                    • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID: lJD$lJD$lJD
                                    • API String ID: 745075371-479184356
                                    • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                    • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                    • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                    Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                    • FindClose.KERNEL32(00000000), ref: 0040C47D
                                    • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                                    • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                    • Opcode Fuzzy Hash: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                                    • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                    Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                    • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                    • GetLastError.KERNEL32 ref: 0040A2ED
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                    • TranslateMessage.USER32(?), ref: 0040A34A
                                    • DispatchMessageA.USER32(?), ref: 0040A355
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 0040A301
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: 565b5ccb6e78a691ec5ddd9f3789ed7e5c3552f9939a09d58bd2f2de98618cfb
                                    • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                    • Opcode Fuzzy Hash: 565b5ccb6e78a691ec5ddd9f3789ed7e5c3552f9939a09d58bd2f2de98618cfb
                                    • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                    Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0040A416
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                    • GetKeyState.USER32(00000010), ref: 0040A433
                                    • GetKeyboardState.USER32(?), ref: 0040A43E
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                    • String ID:
                                    • API String ID: 1888522110-0
                                    • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                    • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                    • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                    • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                    Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                    • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: b4893ef033a9ee04608ed919ae18d9c5a0f90bfd274c4fcb927e554b57608227
                                    • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                    • Opcode Fuzzy Hash: b4893ef033a9ee04608ed919ae18d9c5a0f90bfd274c4fcb927e554b57608227
                                    • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                    Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00449212
                                    • _free.LIBCMT ref: 00449236
                                    • _free.LIBCMT ref: 004493BD
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                    • _free.LIBCMT ref: 00449589
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                    • String ID:
                                    • API String ID: 314583886-0
                                    • Opcode ID: 7c3b7828bc6274b5bd5b11a11cafc48e9b57d165ada4f59c78a52a9162688001
                                    • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                    • Opcode Fuzzy Hash: 7c3b7828bc6274b5bd5b11a11cafc48e9b57d165ada4f59c78a52a9162688001
                                    • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                    Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                    Strings
                                    • aF, xrefs: 004070F1
                                    • aF, xrefs: 00406FE0
                                    • C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, xrefs: 00407007, 0040712F
                                    • open, xrefs: 00406FB6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: aF$ aF$C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$open
                                    • API String ID: 2825088817-3375667432
                                    • Opcode ID: 5d4e3c66d3cb5693cf17a53ba45bcfd5374de60b1c583c21400b4fe5e30b2e29
                                    • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                    • Opcode Fuzzy Hash: 5d4e3c66d3cb5693cf17a53ba45bcfd5374de60b1c583c21400b4fe5e30b2e29
                                    • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                    Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00408811
                                    • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID: hdF
                                    • API String ID: 1771804793-665520524
                                    • Opcode ID: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                                    • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                    • Opcode Fuzzy Hash: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                                    • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                    Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                    • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: !D@$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-2876530381
                                    • Opcode ID: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
                                    • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                    • Opcode Fuzzy Hash: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
                                    • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                    Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                    • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                    • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP$['E
                                    • API String ID: 2299586839-2532616801
                                    • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                    • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                    • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                    Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                    • GetLastError.KERNEL32 ref: 0040BA58
                                    Strings
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                    • [Chrome StoredLogins not found], xrefs: 0040BA72
                                    • UserProfile, xrefs: 0040BA1E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                    • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                    • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                    • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                    Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                    • GetLastError.KERNEL32 ref: 0041799D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                    • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                    • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                    Function 00454159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                                    • Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
                                    • Opcode Fuzzy Hash: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                                    • Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45
                                    Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00409258
                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                    • FindClose.KERNEL32(00000000), ref: 004093C1
                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                      • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                    • FindClose.KERNEL32(00000000), ref: 004095B9
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                    • String ID:
                                    • API String ID: 1824512719-0
                                    • Opcode ID: 66e5523d14644c4e919d6d35766acf297be83262445cdd51cc4dde8fcd070622
                                    • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                    • Opcode Fuzzy Hash: 66e5523d14644c4e919d6d35766acf297be83262445cdd51cc4dde8fcd070622
                                    • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                    Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                                    • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                    • Opcode Fuzzy Hash: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                                    • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                    Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                    • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                    • _wcschr.LIBVCRUNTIME ref: 00451E58
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID: sJD
                                    • API String ID: 4212172061-3536923933
                                    • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                    • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                    • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                    • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                    Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID: (eF$XPG$XPG
                                    • API String ID: 4113138495-1496965907
                                    • Opcode ID: 3a05d701df8f0ff664f5bc8d802d50a1ff01a44446ce82f6d5a8e89048115d4e
                                    • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                    • Opcode Fuzzy Hash: 3a05d701df8f0ff664f5bc8d802d50a1ff01a44446ce82f6d5a8e89048115d4e
                                    • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                    Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                    • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                    • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                    • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                    • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                    • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                    Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040966A
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: 8c864b4c8a0bf1e215c385589a07c12357ec87fb3bfb998b32f11afd7bc615e9
                                    • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                    • Opcode Fuzzy Hash: 8c864b4c8a0bf1e215c385589a07c12357ec87fb3bfb998b32f11afd7bc615e9
                                    • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                    Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                      • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137A6
                                      • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,5.0.0 Pro), ref: 004137B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                                    • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                    • Opcode Fuzzy Hash: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                                    • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                    Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                    • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                    • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                    • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                    Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                    • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                    • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                    • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                    Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                    • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                    • ExitProcess.KERNEL32 ref: 004432EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                    • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                    • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                    Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 0040B711
                                    • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                    • CloseClipboard.USER32 ref: 0040B725
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                    • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                    • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                    • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                    Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                    • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                    • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandleOpenSuspend
                                    • String ID:
                                    • API String ID: 1999457699-0
                                    • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                    • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                    • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                    • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                    Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                    • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                    • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandleOpenResume
                                    • String ID:
                                    • API String ID: 3614150671-0
                                    • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                    • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                    • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                    • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                    Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .
                                    • API String ID: 0-248832578
                                    • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                    • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                    • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                    • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                    Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID: lJD
                                    • API String ID: 1084509184-3316369744
                                    • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                    • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                    • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                    • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                    Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID: lJD
                                    • API String ID: 1084509184-3316369744
                                    • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                    • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                    • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                    • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                    Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                    • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                    • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                    • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                    Function 004461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                    • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                    • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                    • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                    Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                    • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                    • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                    • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                    Function 0045332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00453326,?,?,00000008,?,?,004561DD,00000000), ref: 00453558
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                    • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                                    • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                    • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                                    Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                    • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                                    • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                    • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                                    Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-0
                                    • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                    • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                    • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                    • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                    Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                    • String ID:
                                    • API String ID: 1663032902-0
                                    • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                    • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                    • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                    • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                    Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale_abort_free
                                    • String ID:
                                    • API String ID: 2692324296-0
                                    • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                    • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                    • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                    • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                    Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                    • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                    • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                    • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                    • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                    Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                    • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                    • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                    • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                    Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                    • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                    • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                    • Instruction Fuzzy Hash:
                                    Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                    • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                                    • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                    • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                                    Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                    • Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
                                    • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                    • Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86
                                    Function 0044D9C9 Relevance: .6, Instructions: 637COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                    • Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
                                    • Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                    • Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105
                                    Function 0041F0FA Relevance: .6, Instructions: 598COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                                    • Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
                                    • Opcode Fuzzy Hash: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                                    • Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A
                                    Function 0042739D Relevance: .4, Instructions: 435COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                                    • Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
                                    • Opcode Fuzzy Hash: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                                    • Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98
                                    Function 00426E0E Relevance: .4, Instructions: 383COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                                    • Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
                                    • Opcode Fuzzy Hash: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                                    • Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A
                                    Function 00437D33 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524
                                    Function 00438168 Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614
                                    Function 004378FE Relevance: .3, Instructions: 331COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                                    Function 004374E6 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                                    Function 0041DB62 Relevance: .3, Instructions: 277COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                                    • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                                    • Opcode Fuzzy Hash: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                                    • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                                    Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                    • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                                    • Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                    • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                                    Function 0043E558 Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                    • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                                    • Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                    • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                                    Function 0043DE9D Relevance: .2, Instructions: 214COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                    • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                    • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                                    Function 00427BAF Relevance: .2, Instructions: 187COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                                    • Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
                                    • Opcode Fuzzy Hash: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                                    • Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86
                                    Function 00438770 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608
                                    Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                      • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                    • DeleteDC.GDI32(00000000), ref: 00418F2A
                                    • DeleteDC.GDI32(00000000), ref: 00418F2D
                                    • DeleteObject.GDI32(00000000), ref: 00418F30
                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                    • DeleteDC.GDI32(00000000), ref: 00418F62
                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                    • GetCursorInfo.USER32(?), ref: 00418FA7
                                    • GetIconInfo.USER32(?,?), ref: 00418FBD
                                    • DeleteObject.GDI32(?), ref: 00418FEC
                                    • DeleteObject.GDI32(?), ref: 00418FF9
                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                    • DeleteDC.GDI32(?), ref: 0041917C
                                    • DeleteDC.GDI32(00000000), ref: 0041917F
                                    • DeleteObject.GDI32(00000000), ref: 00419182
                                    • GlobalFree.KERNEL32(?), ref: 0041918D
                                    • DeleteObject.GDI32(00000000), ref: 00419241
                                    • GlobalFree.KERNEL32(?), ref: 00419248
                                    • DeleteDC.GDI32(?), ref: 00419258
                                    • DeleteDC.GDI32(00000000), ref: 00419263
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                    • String ID: DISPLAY
                                    • API String ID: 4256916514-865373369
                                    • Opcode ID: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
                                    • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                    • Opcode Fuzzy Hash: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
                                    • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                    Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,8)b,004752F0,?,pth_unenc), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                    • ExitProcess.KERNEL32 ref: 0040D7D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-2780701618
                                    • Opcode ID: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
                                    • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                    • Opcode Fuzzy Hash: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
                                    • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                    Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                    • ResumeThread.KERNEL32(?), ref: 00418435
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                    • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                    • GetLastError.KERNEL32 ref: 0041847A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                    • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                    • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                    • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                    Function 0040D096 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,8)b,004752F0,?,pth_unenc), ref: 0040B8BB
                                      • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                      • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                    • ExitProcess.KERNEL32 ref: 0040D419
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$8)b$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
                                    • API String ID: 3797177996-810501555
                                    • Opcode ID: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
                                    • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                    • Opcode Fuzzy Hash: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
                                    • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                    Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                    • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                    • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                    • GetCurrentProcessId.KERNEL32 ref: 00412541
                                    • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                    • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                      • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                    • Sleep.KERNEL32(000001F4), ref: 00412682
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                    • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                    • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                                    • API String ID: 2649220323-436679193
                                    • Opcode ID: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
                                    • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                    • Opcode Fuzzy Hash: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
                                    • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                    Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                    • SetEvent.KERNEL32 ref: 0041B219
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                    • CloseHandle.KERNEL32 ref: 0041B23A
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                    • API String ID: 738084811-2094122233
                                    • Opcode ID: ba800d4004146261746f0cd5f3fc473224d9ed50ddfc1a75890d8c2e6864336c
                                    • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                    • Opcode Fuzzy Hash: ba800d4004146261746f0cd5f3fc473224d9ed50ddfc1a75890d8c2e6864336c
                                    • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                    • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                    • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                    Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe,00000001,0040764D,C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe,00000003,00407675,8)b,004076CE), ref: 00407284
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                    • API String ID: 1646373207-606663936
                                    • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                    • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                    • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                    Function 0040CDF9 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040CE07
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                    • _wcslen.LIBCMT ref: 0040CEE6
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe,00000000,00000000), ref: 0040CF84
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                    • _wcslen.LIBCMT ref: 0040CFC6
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                    • ExitProcess.KERNEL32 ref: 0040D062
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                    • String ID: 6$8)b$C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$del$hdF$open
                                    • API String ID: 1579085052-624166804
                                    • Opcode ID: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                                    • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                    • Opcode Fuzzy Hash: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                                    • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                    Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?), ref: 0041C036
                                    • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                    • lstrlenW.KERNEL32(?), ref: 0041C067
                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                    • _wcslen.LIBCMT ref: 0041C13B
                                    • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                    • GetLastError.KERNEL32 ref: 0041C173
                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                    • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                    • GetLastError.KERNEL32 ref: 0041C1D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                    • String ID: ?
                                    • API String ID: 3941738427-1684325040
                                    • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                    • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                    • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                    • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                    Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                    • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                    • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                    • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                    Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                    • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                    • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                    • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                    • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                    • Sleep.KERNEL32(00000064), ref: 00412E94
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$0TG$0TG$NG$NG
                                    • API String ID: 1223786279-2576077980
                                    • Opcode ID: d54e331117d8c7fdba70c9a4bc9b0484f6a85fff65a6912aceb0fb466698988d
                                    • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                    • Opcode Fuzzy Hash: d54e331117d8c7fdba70c9a4bc9b0484f6a85fff65a6912aceb0fb466698988d
                                    • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                    Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                    • __aulldiv.LIBCMT ref: 00408D4D
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                    • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                    • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                                    • API String ID: 3086580692-1206044436
                                    • Opcode ID: d1b9c816e5d1263f909c3fff94fbbac36937d18fe3b7cd58c2ed58fe6728196b
                                    • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                    • Opcode Fuzzy Hash: d1b9c816e5d1263f909c3fff94fbbac36937d18fe3b7cd58c2ed58fe6728196b
                                    • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                    Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 0040A740
                                      • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                                    • API String ID: 3795512280-4009011672
                                    • Opcode ID: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                                    • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                    • Opcode Fuzzy Hash: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                                    • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                    Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                    • GetCursorPos.USER32(?), ref: 0041D5E9
                                    • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                    • ExitProcess.KERNEL32 ref: 0041D665
                                    • CreatePopupMenu.USER32 ref: 0041D66B
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                    • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                    • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                    Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                    • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                    • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                    • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                    Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                      • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                      • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                      • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                      • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                    • ExitProcess.KERNEL32 ref: 0040D9C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                                    • API String ID: 1913171305-51354631
                                    • Opcode ID: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
                                    • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                    • Opcode Fuzzy Hash: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
                                    • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                    Function 00414D86 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                    • String ID: \ws2_32$\wship6$getaddrinfo
                                    • API String ID: 2490988753-3078833738
                                    • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                    • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                    • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                    • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                    Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0045130A
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                      • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                    • _free.LIBCMT ref: 004512FF
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00451321
                                    • _free.LIBCMT ref: 00451336
                                    • _free.LIBCMT ref: 00451341
                                    • _free.LIBCMT ref: 00451363
                                    • _free.LIBCMT ref: 00451376
                                    • _free.LIBCMT ref: 00451384
                                    • _free.LIBCMT ref: 0045138F
                                    • _free.LIBCMT ref: 004513C7
                                    • _free.LIBCMT ref: 004513CE
                                    • _free.LIBCMT ref: 004513EB
                                    • _free.LIBCMT ref: 00451403
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                    Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00419FB9
                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                    • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                    • GetLocalTime.KERNEL32(?), ref: 0041A105
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                    • API String ID: 489098229-1431523004
                                    • Opcode ID: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                                    • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                    • Opcode Fuzzy Hash: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                                    • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                    Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                    • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                    • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                    • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                    Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                    • closesocket.WS2_32(000000FF), ref: 00404E5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                    • String ID:
                                    • API String ID: 3658366068-0
                                    • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                    • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                    • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                    • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                    Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                    • GetLastError.KERNEL32 ref: 00455CEF
                                    • __dosmaperr.LIBCMT ref: 00455CF6
                                    • GetFileType.KERNEL32(00000000), ref: 00455D02
                                    • GetLastError.KERNEL32 ref: 00455D0C
                                    • __dosmaperr.LIBCMT ref: 00455D15
                                    • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                    • CloseHandle.KERNEL32(?), ref: 00455E7F
                                    • GetLastError.KERNEL32 ref: 00455EB1
                                    • __dosmaperr.LIBCMT ref: 00455EB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                    • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                    • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                    Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                    • __alloca_probe_16.LIBCMT ref: 00453EEA
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                    • __alloca_probe_16.LIBCMT ref: 00453F94
                                    • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                    • __freea.LIBCMT ref: 00454003
                                    • __freea.LIBCMT ref: 0045400F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                    • String ID: \@E
                                    • API String ID: 201697637-1814623452
                                    • Opcode ID: fb6195c260b9ae5d4324619eca1f95c452dc13a98459a94436f4153b7f964d62
                                    • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                    • Opcode Fuzzy Hash: fb6195c260b9ae5d4324619eca1f95c452dc13a98459a94436f4153b7f964d62
                                    • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                    Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: \&G$\&G$`&G
                                    • API String ID: 269201875-253610517
                                    • Opcode ID: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                    • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                    • Opcode Fuzzy Hash: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                    • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                    Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                    • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                    • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                    Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0040AD38
                                    • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                    • GetForegroundWindow.USER32 ref: 0040AD49
                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                    • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                    • String ID: [${ User has been idle for $ minutes }$]
                                    • API String ID: 911427763-3954389425
                                    • Opcode ID: d30eded23f2d0b67c27111b0931e30ad0153d7368d4db81ea9f9fcff43b90795
                                    • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                    • Opcode Fuzzy Hash: d30eded23f2d0b67c27111b0931e30ad0153d7368d4db81ea9f9fcff43b90795
                                    • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                    Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 00416941
                                    • EmptyClipboard.USER32 ref: 0041694F
                                    • CloseClipboard.USER32 ref: 00416955
                                    • OpenClipboard.USER32 ref: 0041695C
                                    • GetClipboardData.USER32(0000000D), ref: 0041696C
                                    • GlobalLock.KERNEL32(00000000), ref: 00416975
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                    • CloseClipboard.USER32 ref: 00416984
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: !D@$hdF
                                    • API String ID: 2172192267-3475379602
                                    • Opcode ID: adf24e29fa33e79d94acba38681993613f0e6ff1af3d37b384c40682ee759fe9
                                    • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                    • Opcode Fuzzy Hash: adf24e29fa33e79d94acba38681993613f0e6ff1af3d37b384c40682ee759fe9
                                    • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                    Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                    • __dosmaperr.LIBCMT ref: 0043A8A6
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                    • __dosmaperr.LIBCMT ref: 0043A8E3
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                    • __dosmaperr.LIBCMT ref: 0043A937
                                    • _free.LIBCMT ref: 0043A943
                                    • _free.LIBCMT ref: 0043A94A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: dbaba6b5bf7e8e3101b206719032b6e5feaa877e1e5831e4faa096a05e69cc69
                                    • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                    • Opcode Fuzzy Hash: dbaba6b5bf7e8e3101b206719032b6e5feaa877e1e5831e4faa096a05e69cc69
                                    • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                    • TranslateMessage.USER32(?), ref: 0040557E
                                    • DispatchMessageA.USER32(?), ref: 00405589
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: 8e38f0021ab5ceb6a51bb45f2befafcb8aa6c96e5f4ff49c8141e1b37ff8813b
                                    • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                    • Opcode Fuzzy Hash: 8e38f0021ab5ceb6a51bb45f2befafcb8aa6c96e5f4ff49c8141e1b37ff8813b
                                    • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                    Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                    • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                    • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: 0VG$0VG$<$@$Temp
                                    • API String ID: 1704390241-2575729100
                                    • Opcode ID: ab609bc6c18503029a2e12cded3731472e376082a123972419a45b72cc3541d7
                                    • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                    • Opcode Fuzzy Hash: ab609bc6c18503029a2e12cded3731472e376082a123972419a45b72cc3541d7
                                    • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                    Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                    • int.LIBCPMT ref: 00410E81
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                    • String ID: ,kG$0kG$@!G
                                    • API String ID: 3815856325-312998898
                                    • Opcode ID: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                                    • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                    • Opcode Fuzzy Hash: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                                    • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                    Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                                    • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                    • Opcode Fuzzy Hash: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                                    • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                    Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00448135
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00448141
                                    • _free.LIBCMT ref: 0044814C
                                    • _free.LIBCMT ref: 00448157
                                    • _free.LIBCMT ref: 00448162
                                    • _free.LIBCMT ref: 0044816D
                                    • _free.LIBCMT ref: 00448178
                                    • _free.LIBCMT ref: 00448183
                                    • _free.LIBCMT ref: 0044818E
                                    • _free.LIBCMT ref: 0044819C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                    • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                    • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                    Function 0041C68F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                    • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                    Strings
                                    • DisplayName, xrefs: 0041C73C
                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                    • API String ID: 1332880857-3614651759
                                    • Opcode ID: 1a8a8a53396f0a73c7c7ebd617f4a58ea8be179d7647117c14ca7f9aabbf758a
                                    • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                    • Opcode Fuzzy Hash: 1a8a8a53396f0a73c7c7ebd617f4a58ea8be179d7647117c14ca7f9aabbf758a
                                    • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                    Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                    • API String ID: 3578746661-3604713145
                                    • Opcode ID: 8def3b601c0ee71e78c1a20cf740c23c2ad26708610e025939b5e8f6ecc491fa
                                    • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                    • Opcode Fuzzy Hash: 8def3b601c0ee71e78c1a20cf740c23c2ad26708610e025939b5e8f6ecc491fa
                                    • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                    Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • Sleep.KERNEL32(00000064), ref: 00417521
                                    • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: c9329c812ace22898f1d6572bd75a26903cd800588fbd916b534c5d200127bc1
                                    • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                    • Opcode Fuzzy Hash: c9329c812ace22898f1d6572bd75a26903cd800588fbd916b534c5d200127bc1
                                    • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                    Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 004073DD
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe), ref: 0040749E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                    • API String ID: 2050909247-4242073005
                                    • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                    • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                    • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                    • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 00401D50
                                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                    • API String ID: 3809562944-243156785
                                    • Opcode ID: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                                    • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                    • Opcode Fuzzy Hash: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                                    • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                    • waveInStart.WINMM ref: 00401CFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID: dMG$|MG$PG
                                    • API String ID: 1356121797-532278878
                                    • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                    • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                    • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                    • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                    Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                      • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                    • TranslateMessage.USER32(?), ref: 0041D4E9
                                    • DispatchMessageA.USER32(?), ref: 0041D4F3
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                    • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                    • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                    Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7d049b86027effad8d92042d9403d5bfe2ea3e93186a839875c543696ca89538
                                    • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                    • Opcode Fuzzy Hash: 7d049b86027effad8d92042d9403d5bfe2ea3e93186a839875c543696ca89538
                                    • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                    Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                      • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                      • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                      • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                    • _memcmp.LIBVCRUNTIME ref: 00445423
                                    • _free.LIBCMT ref: 00445494
                                    • _free.LIBCMT ref: 004454AD
                                    • _free.LIBCMT ref: 004454DF
                                    • _free.LIBCMT ref: 004454E8
                                    • _free.LIBCMT ref: 004454F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: 0768c3d9e3dd940518f99a63cbcd3aeb961d046fc1a72f364ae26972a0ea9dca
                                    • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                    • Opcode Fuzzy Hash: 0768c3d9e3dd940518f99a63cbcd3aeb961d046fc1a72f364ae26972a0ea9dca
                                    • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                    Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                    • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                    • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                    • ExitThread.KERNEL32 ref: 004018F6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: PkG$XMG$NG$NG
                                    • API String ID: 1649129571-3151166067
                                    • Opcode ID: 1addd4459206ccda1a90af457825a19d31b8f08cba5be0a07ed153391840909d
                                    • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                    • Opcode Fuzzy Hash: 1addd4459206ccda1a90af457825a19d31b8f08cba5be0a07ed153391840909d
                                    • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                    Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                      • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                      • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumInfoOpenQuerysend
                                    • String ID: hdF$xUG$NG$NG$TG
                                    • API String ID: 3114080316-2774981958
                                    • Opcode ID: e321fd601a5a508ced69f1c765b97aa59f957093b10026012af0bc573d284bcb
                                    • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                    • Opcode Fuzzy Hash: e321fd601a5a508ced69f1c765b97aa59f957093b10026012af0bc573d284bcb
                                    • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                    Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: 4857a6ed22049fc29bba1b292068738278ee234636b3138c3eb0938843477c37
                                    • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                    • Opcode Fuzzy Hash: 4857a6ed22049fc29bba1b292068738278ee234636b3138c3eb0938843477c37
                                    • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                    Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                    • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$Window$AllocOutputShow
                                    • String ID: Remcos v$5.0.0 Pro$CONOUT$
                                    • API String ID: 4067487056-2278869229
                                    • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                    • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                    • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                    • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                    Function 00407260 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                    Download Yara Rule
                                    Strings
                                    • 8)b, xrefs: 004076A4
                                    • hdF, xrefs: 004076A9
                                    • Rmc-R2I0JW, xrefs: 004076DA
                                    • C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, xrefs: 004076C4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 8)b$C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$Rmc-R2I0JW$hdF
                                    • API String ID: 0-2888822614
                                    • Opcode ID: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                                    • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                    • Opcode Fuzzy Hash: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                                    • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                    Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                    • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                    • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                    • __freea.LIBCMT ref: 0044AE30
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • __freea.LIBCMT ref: 0044AE39
                                    • __freea.LIBCMT ref: 0044AE5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 3864826663-0
                                    • Opcode ID: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                    • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                    • Opcode Fuzzy Hash: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                    • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                    Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend
                                    • String ID:
                                    • API String ID: 3431551938-0
                                    • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                    • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                    • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                    Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm$zD
                                    • API String ID: 2936374016-2723203690
                                    • Opcode ID: 582b27bd1da2528f23ecf4cf811f425633019422103e053086a59298c2d48650
                                    • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                    • Opcode Fuzzy Hash: 582b27bd1da2528f23ecf4cf811f425633019422103e053086a59298c2d48650
                                    • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                    Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]$xUG$TG
                                    • API String ID: 3554306468-1165877943
                                    • Opcode ID: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                                    • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                    • Opcode Fuzzy Hash: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                                    • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                    Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                    • __fassign.LIBCMT ref: 0044B479
                                    • __fassign.LIBCMT ref: 0044B494
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                    • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                    • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                    • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                    Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: D[E$D[E
                                    • API String ID: 269201875-3695742444
                                    • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                    • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                    • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                    • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                    Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                      • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                      • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                    • _wcslen.LIBCMT ref: 0041B763
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                    • API String ID: 3286818993-122982132
                                    • Opcode ID: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                                    • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                    • Opcode Fuzzy Hash: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                                    • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                    Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                                    • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                    • Opcode Fuzzy Hash: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                                    • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                    Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b15328f38de36e2236e67be376e02f2a3afc52644fcc3b23babb247561bddb00
                                    • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                    • Opcode Fuzzy Hash: b15328f38de36e2236e67be376e02f2a3afc52644fcc3b23babb247561bddb00
                                    • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                    Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C477
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID: hpF
                                    • API String ID: 1852769593-151379673
                                    • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                    • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                    • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                    Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                    • _free.LIBCMT ref: 00450F48
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00450F53
                                    • _free.LIBCMT ref: 00450F5E
                                    • _free.LIBCMT ref: 00450FB2
                                    • _free.LIBCMT ref: 00450FBD
                                    • _free.LIBCMT ref: 00450FC8
                                    • _free.LIBCMT ref: 00450FD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                    Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                    • int.LIBCPMT ref: 00411183
                                      • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                      • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                    • std::_Facet_Register.LIBCPMT ref: 004111C3
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID: (mG
                                    • API String ID: 2536120697-4059303827
                                    • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                    • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                    • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                    • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                    Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                    • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                    • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                    • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                    • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                    Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe), ref: 004075D0
                                      • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                      • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                    • CoUninitialize.OLE32 ref: 00407629
                                    Strings
                                    • [+] before ShellExec, xrefs: 004075F1
                                    • [+] ShellExec success, xrefs: 0040760E
                                    • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
                                    • C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, xrefs: 004075B0, 004075B3, 00407605
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InitializeObjectUninitialize_wcslen
                                    • String ID: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                    • API String ID: 3851391207-2408141950
                                    • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                    • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                    • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                    Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                    • GetLastError.KERNEL32 ref: 0040BAE7
                                    Strings
                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                    • [Chrome Cookies not found], xrefs: 0040BB01
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                    • UserProfile, xrefs: 0040BAAD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                    • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                    • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                    • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                    Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 0043AC69
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                    • __allrem.LIBCMT ref: 0043AC9C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                    • __allrem.LIBCMT ref: 0043ACD1
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                    • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                    • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                    • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                    • API String ID: 3469354165-3054508432
                                    • Opcode ID: 91431f8b5db115c882df2f0e13a11dad090b1a6d8894046dc22c07ac9576aff7
                                    • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                    • Opcode Fuzzy Hash: 91431f8b5db115c882df2f0e13a11dad090b1a6d8894046dc22c07ac9576aff7
                                    • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                    Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                    • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                      • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                      • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                      • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                    • String ID:
                                    • API String ID: 3950776272-0
                                    • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                    • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                    • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                    • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                    Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                    • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                    • Opcode Fuzzy Hash: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                    • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                    Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                                    • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                    • Opcode Fuzzy Hash: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                                    • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                    Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                    • _free.LIBCMT ref: 0044824C
                                    • _free.LIBCMT ref: 00448274
                                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                    • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                    • _abort.LIBCMT ref: 00448293
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                    • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                    • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                    • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                    Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                                    • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                    • Opcode Fuzzy Hash: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                                    • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                    Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                                    • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                    • Opcode Fuzzy Hash: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                                    • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                    Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                                    • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                    • Opcode Fuzzy Hash: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                                    • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                    Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe,00000104), ref: 00443475
                                    • _free.LIBCMT ref: 00443540
                                    • _free.LIBCMT ref: 0044354A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: 8(a$C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe
                                    • API String ID: 2506810119-3401619472
                                    • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                    • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                    • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                    Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                    • wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 1497725170-248792730
                                    • Opcode ID: 019b08523464e22314e75dadd92c4793bb6a1200063bbceefb562f85266a5f2e
                                    • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                    • Opcode Fuzzy Hash: 019b08523464e22314e75dadd92c4793bb6a1200063bbceefb562f85266a5f2e
                                    • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                    Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                    • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: XQG
                                    • API String ID: 1958988193-3606453820
                                    • Opcode ID: a1c719673f0d7440ec25b2c996448bd066d6d4fa0d0bcd8bc203fb9c13a9478f
                                    • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                    • Opcode Fuzzy Hash: a1c719673f0d7440ec25b2c996448bd066d6d4fa0d0bcd8bc203fb9c13a9478f
                                    • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                    Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                    • GetLastError.KERNEL32 ref: 0041D580
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                    • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                    • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                    Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                    • CloseHandle.KERNEL32(?), ref: 004077AA
                                    • CloseHandle.KERNEL32(?), ref: 004077AF
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                    • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                    • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                    • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                    Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                    • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                    • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: KeepAlive | Disabled
                                    • API String ID: 2993684571-305739064
                                    • Opcode ID: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                                    • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                    • Opcode Fuzzy Hash: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                                    • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                    Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                    • Sleep.KERNEL32(00002710), ref: 0041AE07
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm triggered
                                    • API String ID: 614609389-2816303416
                                    • Opcode ID: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                                    • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                    • Opcode Fuzzy Hash: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                                    • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                    Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                    Strings
                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                    • API String ID: 3024135584-2418719853
                                    • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                    • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                    • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                    • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                    Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                    • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                    • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                    • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                    Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • _free.LIBCMT ref: 00444E06
                                    • _free.LIBCMT ref: 00444E1D
                                    • _free.LIBCMT ref: 00444E3C
                                    • _free.LIBCMT ref: 00444E57
                                    • _free.LIBCMT ref: 00444E6E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID:
                                    • API String ID: 3033488037-0
                                    • Opcode ID: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                    • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                    • Opcode Fuzzy Hash: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                    • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                    Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                    • _free.LIBCMT ref: 004493BD
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00449589
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                    • String ID:
                                    • API String ID: 1286116820-0
                                    • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                    • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                    • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                    • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                    Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                      • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                      • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 2180151492-0
                                    • Opcode ID: e6f2a931ab95e18956fb0cb6133098acbc9c67bef40703332bd554151389558f
                                    • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                    • Opcode Fuzzy Hash: e6f2a931ab95e18956fb0cb6133098acbc9c67bef40703332bd554151389558f
                                    • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                    Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                    • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                    • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                    • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                    Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                    • __alloca_probe_16.LIBCMT ref: 004511B1
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                    • __freea.LIBCMT ref: 0045121D
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 313313983-0
                                    • Opcode ID: 176232f54f3ec98bfb029651777c0c6490447229ae5715771154ed3ce12be0f5
                                    • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                    • Opcode Fuzzy Hash: 176232f54f3ec98bfb029651777c0c6490447229ae5715771154ed3ce12be0f5
                                    • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                    Function 004126DB Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                      • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                      • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                    • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQuerySleepValue
                                    • String ID: 8)b$8SG$exepath$hdF
                                    • API String ID: 4119054056-960711662
                                    • Opcode ID: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
                                    • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                    • Opcode Fuzzy Hash: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
                                    • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                    Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                      • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                    • _free.LIBCMT ref: 0044F3BF
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                    • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                    • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                    • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                    Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                    • _free.LIBCMT ref: 004482D3
                                    • _free.LIBCMT ref: 004482FA
                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                    • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                    • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                    • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                    Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandleOpen$FileImageName
                                    • String ID:
                                    • API String ID: 2951400881-0
                                    • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                    • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                    • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                    • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                    Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004509D4
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 004509E6
                                    • _free.LIBCMT ref: 004509F8
                                    • _free.LIBCMT ref: 00450A0A
                                    • _free.LIBCMT ref: 00450A1C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                    Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00444066
                                      • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                      • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                    • _free.LIBCMT ref: 00444078
                                    • _free.LIBCMT ref: 0044408B
                                    • _free.LIBCMT ref: 0044409C
                                    • _free.LIBCMT ref: 004440AD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                    Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strpbrk.LIBCMT ref: 0044E738
                                    • _free.LIBCMT ref: 0044E855
                                      • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                      • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                      • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                    • String ID: *?$.
                                    • API String ID: 2812119850-3972193922
                                    • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                    • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                    • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                    • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                    Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                      • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                                    • String ID: XQG$NG$PG
                                    • API String ID: 1634807452-3565412412
                                    • Opcode ID: 5f698d400551bddcd24f39ab2186e977a1197a33ed23c3f3c18f64a3852fc507
                                    • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                    • Opcode Fuzzy Hash: 5f698d400551bddcd24f39ab2186e977a1197a33ed23c3f3c18f64a3852fc507
                                    • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                    Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: `#D$`#D
                                    • API String ID: 885266447-2450397995
                                    • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                    • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                    • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                      • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                      • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "$0NG
                                    • API String ID: 368326130-3219657780
                                    • Opcode ID: e953dad905f1e53c16e26200fa5e7422b49283e88f1e0b78f9913fef121ae1b5
                                    • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                    • Opcode Fuzzy Hash: e953dad905f1e53c16e26200fa5e7422b49283e88f1e0b78f9913fef121ae1b5
                                    • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                    Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 0040B797
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                                    • API String ID: 1881088180-1379921833
                                    • Opcode ID: 2eae899f8ba581f34df27902f50da260665bdd85b11323c7a3e8a97bd898f5f2
                                    • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                    • Opcode Fuzzy Hash: 2eae899f8ba581f34df27902f50da260665bdd85b11323c7a3e8a97bd898f5f2
                                    • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                    Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 004162F5
                                      • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                      • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                      • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen$CloseCreateValue
                                    • String ID: !D@$okmode$PG
                                    • API String ID: 3411444782-3370592832
                                    • Opcode ID: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
                                    • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                    • Opcode Fuzzy Hash: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
                                    • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                    Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                    • User Data\Default\Network\Cookies, xrefs: 0040C603
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                                    • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                    • Opcode Fuzzy Hash: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                                    • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                    Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                    • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                                    • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                    • Opcode Fuzzy Hash: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                                    • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                    Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                    • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
                                    • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: 55a16279e41a4eb0e07dba326af5b95eb925ebcd43a87b2f064c41ffa6f026f3
                                    • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                    • Opcode Fuzzy Hash: 55a16279e41a4eb0e07dba326af5b95eb925ebcd43a87b2f064c41ffa6f026f3
                                    • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                    Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                    • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$wsprintf
                                    • String ID: Online Keylogger Started
                                    • API String ID: 112202259-1258561607
                                    • Opcode ID: 39a444be4c26427c66e441a6ad0e63281db5954b57e76310a56fe4e2cf5f1819
                                    • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                    • Opcode Fuzzy Hash: 39a444be4c26427c66e441a6ad0e63281db5954b57e76310a56fe4e2cf5f1819
                                    • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                    Function 0044BD6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.KERNEL32(00000000,00000000,0040F3BB,?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDC2
                                    • GetLastError.KERNEL32(?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDCC
                                    • __dosmaperr.LIBCMT ref: 0044BDF7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseErrorHandleLast__dosmaperr
                                    • String ID: pzc
                                    • API String ID: 2583163307-2866483420
                                    • Opcode ID: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                    • Instruction ID: 6d8ae8a68538518658f59cc4ec35c635b4eb055c917d93d15d596e37dde74a72
                                    • Opcode Fuzzy Hash: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                    • Instruction Fuzzy Hash: 59010832A0426066E62462399C4577F6749CB92739F2546AFFD14872D3DB6CCC8182D9
                                    Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                    • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                    • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                                    • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                    • Opcode Fuzzy Hash: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                                    • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                    Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                    • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                    • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                    • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                    Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041381F
                                    • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,8)b), ref: 0041384D
                                    • RegCloseKey.ADVAPI32(?,?,0040F823,pth_unenc,8)b), ref: 00413858
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: pth_unenc
                                    • API String ID: 1818849710-4028850238
                                    • Opcode ID: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                                    • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                    • Opcode Fuzzy Hash: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                                    • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                    Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                      • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                    • String ID: bad locale name
                                    • API String ID: 3628047217-1405518554
                                    • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                    • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                    • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                    • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                    Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                    • ShowWindow.USER32(00000009), ref: 00416C61
                                    • SetForegroundWindow.USER32 ref: 00416C6D
                                      • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                      • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                    • String ID: !D@
                                    • API String ID: 186401046-604454484
                                    • Opcode ID: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
                                    • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                    • Opcode Fuzzy Hash: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
                                    • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                    Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                                    • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                    • Opcode Fuzzy Hash: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                                    • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                    Function 0040B869 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteDirectoryFileRemove
                                    • String ID: hdF$pth_unenc
                                    • API String ID: 3325800564-514923600
                                    • Opcode ID: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                                    • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                    • Opcode Fuzzy Hash: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                                    • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                    Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,8)b,004752F0,?,pth_unenc), ref: 0040B8BB
                                    • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                    • TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: TerminateThread$HookUnhookWindows
                                    • String ID: pth_unenc
                                    • API String ID: 3123878439-4028850238
                                    • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                    • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                    • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                    • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                    Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID:
                                    • API String ID: 1036877536-0
                                    • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                    • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                    • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                    • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                    Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                    • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                    • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                    Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                    • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: bc362d70cf4f5ad946d2d6bce893b7e03ef5b56e408b8141a290fd3d2dbf3af0
                                    • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                    • Opcode Fuzzy Hash: bc362d70cf4f5ad946d2d6bce893b7e03ef5b56e408b8141a290fd3d2dbf3af0
                                    • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                    Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                      • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                      • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                    • Sleep.KERNEL32(000001F4), ref: 0040A573
                                    • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                    • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                    • Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
                                    • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                    Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SystemTimes$Sleep__aulldiv
                                    • String ID:
                                    • API String ID: 188215759-0
                                    • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                    • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                    • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                    • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                    Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                    • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                    • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                    • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                    Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                    • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                    • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                    • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                    Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                    • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                    • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                    • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                    Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                                    • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                    • Opcode Fuzzy Hash: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                                    • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                    Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                      • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                    • _UnwindNestedFrames.LIBCMT ref: 00439891
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                    • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                    Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                    • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                    • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                    • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID:
                                    • API String ID: 4116985748-0
                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                    Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                      • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                    Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                    • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                    • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                    Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                      • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                      • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                      • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                    • String ID: image/jpeg
                                    • API String ID: 1291196975-3785015651
                                    • Opcode ID: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                                    • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                    • Opcode Fuzzy Hash: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                                    • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                    Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                    • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                    • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                    Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                      • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                      • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                      • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                    • String ID: image/png
                                    • API String ID: 1291196975-2966254431
                                    • Opcode ID: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                                    • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                    • Opcode Fuzzy Hash: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                                    • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 481472006-1507639952
                                    • Opcode ID: 3f67727009873c9d3c2a4a6009232aaaac5af89ba315697c65e6eed3dbf6c9b0
                                    • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                    • Opcode Fuzzy Hash: 3f67727009873c9d3c2a4a6009232aaaac5af89ba315697c65e6eed3dbf6c9b0
                                    • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                    Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32 ref: 00416640
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: !D@
                                    • API String ID: 1931167962-604454484
                                    • Opcode ID: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
                                    • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                    • Opcode Fuzzy Hash: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
                                    • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                    Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i
                                    • API String ID: 481472006-2430845779
                                    • Opcode ID: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                                    • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                    • Opcode Fuzzy Hash: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                                    • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                    Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: alarm.wav$hYG
                                    • API String ID: 1174141254-2782910960
                                    • Opcode ID: 8bb715c861777828018c0efb95e7b3ddf71d1be237a3fc970ce687e59d2cfd9b
                                    • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                    • Opcode Fuzzy Hash: 8bb715c861777828018c0efb95e7b3ddf71d1be237a3fc970ce687e59d2cfd9b
                                    • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                    Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
                                      • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                    • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                    • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: d7c91131cf9b851dd7cc064ac3bcb4510fe1c2efc3eda534d05ad9cc028e90d0
                                    • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                    • Opcode Fuzzy Hash: d7c91131cf9b851dd7cc064ac3bcb4510fe1c2efc3eda534d05ad9cc028e90d0
                                    • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • waveInPrepareHeader.WINMM(0062FA30,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                    • waveInAddBuffer.WINMM(0062FA30,00000020,?,00000000,00401A15), ref: 0040185F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferHeaderPrepare
                                    • String ID: XMG
                                    • API String ID: 2315374483-813777761
                                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                    Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: $G
                                    • API String ID: 269201875-4251033865
                                    • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                    • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                    • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                    • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                    Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: IsValidLocaleName$JD
                                    • API String ID: 1901932003-2234456777
                                    • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                    • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                    • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                    • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                    Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                                    • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                    • Opcode Fuzzy Hash: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                                    • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                    Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                                    • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                    • Opcode Fuzzy Hash: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                                    • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                    Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                                    • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                    • Opcode Fuzzy Hash: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                                    • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                    Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: $G
                                    • API String ID: 269201875-4251033865
                                    • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                    • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                    • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                    • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                    Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040B64B
                                      • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                      • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                      • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 2738857842-2658077756
                                    • Opcode ID: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                    • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                    • Opcode Fuzzy Hash: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                    • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                    Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                    • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: uD
                                    • API String ID: 0-2547262877
                                    • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                    • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                    • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                    • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                    Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: !D@$open
                                    • API String ID: 587946157-1586967515
                                    • Opcode ID: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
                                    • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                    • Opcode Fuzzy Hash: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
                                    • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                    Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040B6A5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                    • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                    • Opcode Fuzzy Hash: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                    • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                    Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                    • __Init_thread_footer.LIBCMT ref: 00410F29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: ,kG$0kG
                                    • API String ID: 1881088180-2015055088
                                    • Opcode ID: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                                    • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                    • Opcode Fuzzy Hash: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                                    • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                    Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,8)b,004752F0,?,pth_unenc), ref: 00413A31
                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 2654517830-1051519024
                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                    Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ObjectProcessSingleTerminateWait
                                    • String ID: pth_unenc
                                    • API String ID: 1872346434-4028850238
                                    • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                    • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                    • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                    • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                    Function 0041BAE6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountInfoInputLastTick
                                    • String ID: NG
                                    • API String ID: 3478931382-1651712548
                                    • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                    • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                    • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                    • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                    Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CommandLine
                                    • String ID: 8(a
                                    • API String ID: 3253501508-3000078942
                                    • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                    • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                    • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                    • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                    Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                    • GetLastError.KERNEL32 ref: 00440D35
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                    • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                    • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                    • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                    Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                    • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                    • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4446161839.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4446126687.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446258133.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4446304097.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                    • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                    • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99